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A policy describes the conditions under which an action is permitted or forbidden. We show that 
a fragment of (multi-sorted) first-order logic can be used to represent and reason about policies. 
Because we use first-order logic, policies have a clear syntax and semantics. We show that further 
restricting the fragment results in a language that is still quite expressive yet is also tractable. 
More precisely, questions about entailment, such as 'May Alice access the file?', can be answered 
in time that is a low-order polynomial (indeed, almost linear in some cases), as can questions 
about the consistency of policy sets. 

Categories and Subject Descriptors: H.2.7 [Database Management]: Database Administra- 
tion — Security; integrity; protection; K.4.4 [Computers and Society]: Electronic Commerce — 
Security 

General Terms: Security, Languages 

Additional Key Words and Phrases: Digital Rights Management 



1. INTRODUCTION 

A policy describes the conditions under which an action, such as reading a file, is 
permitted or forbidden. Digital-content providers have a rough idea of what their 
policies should be. Unfortunately, policies are typically described informally. As a 
result, their meaning and consequences are not always clear. To better understand 
the problem, consider the statement "only librarians may edit the on-line catalog" . 
We can view this statement as a policy because it governs who may edit the catalog, 
based on whether the editor is a librarian. It is not clear if this policy permits 
librarians to make changes to the catalog or only forbids anyone who is not a 
librarian from doing so. The policy could be rewritten to remove this particular 
ambiguity, but others are likely to exist if policies are written in a natural language. 

Of course, policies do not need to be written in a natural language. Access control 
lists (ACLs) [Pflccgcr 1997] have been used for decades to capture simple policies 
in an unambiguous way. Unfortunately, ACLs lack the expressive power needed 
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by many of today's digital-content providers. For example, we cannot capture the 
policy "members are permitted to access the digital library" ; the best we can do 
using ACLs is to maintain a list that must be updated whenever the set of members 
change. Another option is to write policies in an XML-based language. Two popular 
choices are XrML (extensible rights Markup Language) (XrML) [ContentGuard 
2001] and ODRL (Open Digital Rights Language) [Iannella 2001]. These languages 
can be given formal semantics (in part because their syntax, unlike that of natural 
languages, is quite restricted) and they do have more expressive power than ACLs. 
Prior to our work, however, neither language had formal semantics and, as a result, 
policies written in these languages were often ambiguous. 1 

The formal-methods community has proposed a number of languages that have 
formal semantics. Perhaps the most popular approach is to base the language 
on some extension of Datalog [Garcia-Molina et al. 2002]. These extensions are 
tractable fragments of first-order logic that allow a limited use of function symbols 
and negation. Unfortunately, the extensions do not seem to have the necessary 
expressive power to capture a number of policies that are currently written in 
English. For example, in the iTunes Terms of Sale [Apple Computer 2004], certain 
actions are explicitly forbidden and others are unregulated; most of the variants of 
Datalog cannot distinguish between the two categories. 

Our goal in this paper is to provide a better language in which to write policies. 
The language must have a clear syntax and semantics. To be of practical interest, 
it must also satisfy (at least) the following desiderata. 

(1) It must be expressive enough to capture in an easy and natural way the policies 
that people want to discuss. 

(2) It must be tractable enough to allow interesting queries about policies to be 
answered efficiently. 

(3) It must be usable by non-experts, because we cannot expect policymakers and 
administrators to be well-versed in logic or programming languages. 

To achieve our objectives, we use a fragment of first-order logic that we call Lithium. 
While our approach is reminiscent of the Datalog ones, the restrictions that we 
make are quite different from those made previously. We believe (and will argue 
throughout this paper) that the resulting language is especially well-suited for many 
applications, and has a number of advantages over variants of Datalog. 

Because Lithium is a fragment of first-order logic, it automatically has a clear 
syntax and semantics; thus, it remains to argue that the logic satisfies the three goals 
listed above. Whether a logic is sufficiently expressive to satisfy the first objective 
naturally depends on the application. To evaluate our approach, we gathered a 
large collection of policies from different types of libraries, ranging from small public 
libraries to the Library of Congress; we then determined that the policies could be 
written in Lithium (sometimes considering multiple versions of the policies, one for 



1 Recently, we have given formal semantics to a representative fragment of XrML [Halpern and 
Weissman 2004] and a representative fragment of ODRL [Pucella and Weissman 2004]. Both 
semantics are based on the approach given in this paper. The latest specification of XrML [MPEG 
2004] includes formal semantics, in part to address our criticisms, but their approach is different 
from that used here. 
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each interpretation). In addition, we have performed the same analysis on various 
parts of US legislation, including substantial fragments of the Privacy Rule, which 
governs access to electronic medical files, and Title 42, Chapter 7 of the US Code, 
which determines who is eligible for Social Security. Finally, we have shown that 
large fragments of XrML and ODRL can be translated into Lithium; see [Halpern 
and Weissman 2004; Pucella and Weissman 2004]. Our work indicates that Lithium 
is expressive enough to capture many (if not most) policies of interest. 
For the second desideratum, we focus on two key queries: 

— Given a set of policies and an environment that provides all relevant facts (e.g., 
"Alice is a librarian" , "Anyone who is a librarian for less than a year is a novice" , 
etc.), docs it follow that a particular action, such as Alice editing the on-line 
catalog, is permitted or forbidden? 

— Is a set of policies consistent? In other words, are there no actions that are both 
permitted and forbidden by the policies in the set? This question is particularly 
interesting for collaboration. For example, suppose that Alice is writing the 
policies for her university's new outreach program. If the union of her policies 
and the university policies is consistent, then she knows that her policies do not 
contradict those of the university. 

The answers to these questions could be used by enforcement mechanisms and 
individuals who want to do regulated activities. More importantly, we believe that 
the answers provide a reasonably good understanding of the policies, increasing our 
confidence that the formal statements capture the informal rules and the informal 
rules capture the policy creator's intent. 

The rest of this paper is organized as follows. In the next section, we formally 
define our notions of policy and environment. We also give examples that illustrate 
how policies can be represented in an appropriate fragment of first-order logic. 
Sections 3 and 4 focus on queries about permissions (that is, whether a specific 
action is permitted given an environment and a set of policies) ; all our results hold 
with essentially no change for queries about prohibitions. We show in Section 3 
that such queries are, in general, hard to answer. In Section 4, we consider some 
restrictions that we believe typically hold in practice; under these restrictions, the 
queries are tractable. We address the consistency problem in Section 5. Of course, 
we do not expect typical users to be experts in first-order logic. In Section 6, 
we discuss what can be done to make Lithium accessible to non-logicians. Related 
work, including the Datalog approaches, are discussed in Section 7. Our concluding 
remarks are given in Section 8. Most proofs are left to the appendix. 

2. A FIRST-ORDER LOGIC FOR REASONING ABOUT POLICIES 

For the rest of the paper, we assume knowledge of first-order logic at the level of 
Enderton [1972]. More specifically, we assume the reader is familiar with the syn- 
tax of first-order logic, including constants, variables, predicate symbols, function 
symbols, and quantification; with the semantics of first-order logic, including re- 
lational models and valuations; and with the notions of satisfiability and validity 
of first-order formulas. Recall that many-sorted first-order logic is first-order logic 
modified so that each term is associated with a sort (i.e., type); variables of sort 
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s range over the elements of sort s; and the signatures of predicate and function 
symbols restrict each argument to elements of a particular sort. 

We use many-sorted first-order logic with equality over some vocabulary <3> to 
express and reason about policies. Let £^°($) denote the set of first-order formulas 
over the vocabulary <!>. For this paper, we assume that there are at least three 
sorts, Actions (e.g., accessing a file), Subjects (the agents that perform actions; 
these are sometimes called principals in the literature), and Times. While these 
sorts seem natural for any policy logic, other sorts may be desired for particular 
applications. These sorts, including objects and roles, may be added to the logic 
without affecting our results. 

The vocabulary $ is application-dependent; however, we assume that <& contains 
a constant now of sort Times and a binary predicate Permitted on Subjects x 
Actions. The constant now denotes the current time. In practice, a global clock 
would determine the interpretation of now. Permitted(i, t') means that subject t 
is allowed to perform action t! . In practice, it may be useful to add additional argu- 
ments to Permitted, such as when the action is permitted and who is authorizing 
the granting or revoking of the permission. Which arguments are added (if any) de- 
pend on the application and on other choices made in the vocabulary. For example, 
consider a policy p that says "Alice is permitted to append image m to file /" . We 
could either take Permitted to be a binary predicate and append to be a binary 
function, and express p as "Permitted(Alice, append(m, /))" ; or we could take 
append to be a unary function and Permitted to be a ternary predicate, and 
express p as "Permitted(Alice,append(m), /)". Our results apply regardless of 
which choice is made, because they do not depend on the arity of Permitted and 
the other functions and predicates in the language. In fact, our results still hold 
even if policies refer to different variants of Permitted, with different arities. 

A policy is a closed first-order formula of the form 

Vxi . ..Vx m {f => (-.)Permitted(M')), 

where / is any first-order formula, t and t' are terms of sort Subject and Action 
respectively, and the notation (-i)Permitted indicates that the Permitted predi- 
cate may or may not be negated. Defining a policy in this way provides a structure 
that matches our intuition, namely, that a policy is a set of conditions under which 
an action is or is not permitted. 

To illustrate how policies can be expressed in first-order logic, consider the fol- 
lowing examples. 

Example 2.1 . The policy "only librarians may edit the catalog" can be charac- 
terized by the following two formulas: 

Vx(-iLibrarian(x) => -iPermitted(a;, edit the catalog)) 
Va; (Librarian (x) => Permitted(a;, edit the catalog)). 

(Depending on the intended meaning of the English statement, the first formula by 
itself may characterize the policy.) | 

Example 2.2. The policy "a customer may download any article if she has paid 
a fee within the past six weeks " can be rewritten as "if an individual i has paid the 
fee within the past six weeks, i is a customer, and a is some article, then i may 
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download a". The policy can be encoded readily as 

ViVA/a ((PaidFee(i, t) A {now — 6 < t < now) A Customer^, now) A Article(a)) 
=> Permitted(i, download(a))). | 

Example 2.3. The policy set "anyone may sing" and "anyone who is allowed 
to sing may dance" can be characterized by the following two formulas: 

Vx(Permitted(x, sing)) 

Vx(Permitted(x, sing) => Permitted(:r, dance)). | 

To determine the consequences of policies, we need to know which facts are true in 
the environment (i.e., the context in which the policies are applied). For example, if 
the environment implies that Alice is a librarian, then the policies in Example 2.1 
imply that she may edit the catalog. If the environment is silent as to whether 
Alice is a librarian, then the policies in Example 2.1 do not regulate her actions. 
The environment may include specific statements such as "Alice is a librarian", 
"The Cat in the Hat is a children's book", or "Sally has a junior library card". 
General statements may also be included, such as the conditions under which a 
customer is considered to be in good standing and "at all times, there is a senior 
staff member who is on call" . All the examples we have considered so far confirm 
our belief that first-order logic is sufficiently expressive to capture most environ- 
ments that are likely to arise in practice. Thus, we formally define an environment 
to be a closed first-order formula that does not contain the Permitted predicate. 
The requirement that the environment not contain Permitted encourages the in- 
tuitive separation between the environment, which is a description of reality, and 
the policies, which are the rules governing that reality. 

The two types of queries discussed in the introduction can now be formalized. 
The first query, is an individual t permitted to perform an action t' (where t and t' 
are closed terms) given an environment E and some policies p\, . . . ,p n , amounts to 
asking if the formula E A p\ A . . . A p n => Permitted(t, t') is valid. (Similarly, t is 
forbidden to do t' if and only if EApi A . . . Ap n => -"Permitted^, t') is valid.) The 
second query, "Are the policies consistent?" , asks if the formula E A p\ A . . . A p n is 
satisfiable. For ease of exposition, we focus on determining if an action is permitted 
(or forbidden). As we show, it is easy to modify our techniques to handle the 
consistency question. 

3. INTRACTABILITY RESULTS 

In general, the queries in which we are interested cannot be answered efficiently. 
Indeed, the problem in its full generality is easily seen to be undecidable if the 
vocabulary $ has at least one binary predicate other than Permitted (and closed 
terms t and t' of sort Subjects and Actions, respectively, so that it is possible 
to actually form queries). To see this, let / be an arbitrary formula that does 
not contain Permitted. Consider the policy / => Permitted(t, t'), and let the 
environment be empty (i.e., true). Standard manipulations show that 

(/ => Permitted^, t')) Permitted(i, t') 

is equivalent to 

/ V Permitted^, t'). 
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Since / does not mention Permitted, the last formula is valid iff / is valid. The 
validity problem for first-order formulas is well known to be undecidable, even if 
we restrict to formulas whose only nonlogical symbol is a binary predicate. In fact, 
undecidability holds if we further restrict to formulas that have a single alternation 
of quantifiers (i.e., formulas of the form Qixi . . . Q n x n R\y\ . . . R m y m f, where Qi — 
3 and Rj = V for i = 1, . . . , n and j — 1, . . . , m or vice- versa, and / is quantifier- 
free) [Borger et al. 1997]. So, in general, we cannot determine whether a single 
policy implies a permission if writing the policy as a first-order formula requires an 
alternation of quantifiers and a binary predicate other than Permitted. In fact, 
undecidability holds even without the assumption that <J> has a binary predicate 
other than Permitted. 

Theorem 3.1. Let Co be the set of closed formulas of the form 

(/ => Permitted(c, c')) => Permitted(c, d), 

where c and c' are constants of the appropriate sorts, f has a single alternation 
of quantifiers, and the only nonlogical symbol in f is Permitted. The validity 
question for Co is undecidable. 

Not surprisingly, similar undecidability results hold if we allow formulas in the 
environment to involve an alternation of quantifiers (provided that there is a binary 
predicate in the language other than Permitted, since we do not allow Permitted 
in the environment). Given Theorem 3.1, it seems that our only hope is to forbid 
any alternation of quantifiers. 

How much quantification do we really need? A quantifier-free environment suf- 
fices to capture simple databases. Many applications, however, need a richer en- 
vironment that includes general properties, such as "men are not women" and "a 
senior citizen is anyone over sixty-five years old". For these applications, univer- 
sal quantification is needed in the environment. In addition, almost all applica- 
tions need quantification in their policies. To see why, notice that if we do not 
allow a policy to have any quantification (i.e., define a policy to have the form 
/ => Permitted (t, t') where t and t' are closed terms and / is quantifier- free), then 
each policy must govern a specific individual and action. For example, we can say 
"If Alice is good, she may play outside" , but we cannot say "All good children 
may play outside" . Because policies typically permit an individual to do an action 
based on the attributes of that individual, we must allow policies to be universally 
quantified. 

All policies expressible in XrML and in ODRL, as well as the policies that we 
have collected from libraries and government databases, can be written as universal 
formulas (i.e., as formulas that can be written in the form Vxi . . . \/x n f, where / 
is quantifier- free) . Some of the policies that we collected may appear to need exis- 
tential quantification, but they can be converted to equivalent universal formulas. 
Example 3.2 illustrates how we can apply standard first-order transformations to 
do the conversion. 

Example 3.2. Consider the policy "anyone who is accompanied by a librarian 
may enter the stacks". A natural way to state this in first-order logic is 

V:ri(32;2 (Librarian^) A Accompanies (x 2 , x\)) => Permitted(xi, enter(stacks))). 
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This formula is logically equivalent to 

VxiVx2((Librarian(x2) A Accompanies (#2, xi)) => Permitted(xi, enter(stacks))), 

which uses only universal quantification. | 

Note that enter is a function in Example 3.2. Unfortunately, it is well known that 
the validity problem for existential formulas with function symbols is undecidablc, 
even if we restrict to formulas with only two existentials and one unary function 
symbol [Borger et al. 1997]. The following strengthening of Theorem 3.1 is almost 
immediate. 

Theorem 3.3. Let C\ be the set of closed formulas of the form 

VxiVx2(f Permitted(c, c')) => Permitted(c, c'), 

where c and c' are constants of the appropriate sort and f is a quantifier-free formula 
whose only nonlogical symbols are Permitted and a unary function. The validity 
problem for C\ is undecidablc 

Theorem 3.3 suggests that even if we drastically reduce quantification, we still 
need to disallow functions to get decidability. Once we severely restrict quantifica- 
tion and remove functions entirely, then we do get a decidablc fragment, but it is 
not tractable. Recall that is the second level of the polynomial hierarchy, and 
represents languages that can be decided in co-NP with an NP oracle. 

Theorem 3.4. Let $ be a vocabulary that contains Permitted, constants c 
and c' of sorts Subjects and Actions, respectively, and possibly other predicate and 
constant symbols (but no function symbols). Assume that there is a bound on the 
arity of the predicate symbols in $ (that is, there exists some N such that all 
predicate symbols in $ have arity at most N ). Finally, let C2 be the set of all closed 
formulas in of the form E Ap\ A . . . Ap n => Permitted(c, c') such that E is 

a conjunction of quantifier-free and universal formulas and each policy pi , . . . , p n 
has the form Vxi . . . Vx m (f =4> Permitted(ii, i 2 )), where t\ and t 2 are terms of the 
appropriate sort and f is quantifier- free. 

(a) The validity problem for £2 is in IT^ '. 

(b) Lf £3 is the set of formulas in £ 2 in which every policy's antecedent is a con- 
junction of literals, then the validity problem for £ 3 is FI^ hard. 

(c) Lf £4 is the set of £2 formulas in which E is quantifier-free, then the validity 
problem for £4 is both NP-hard and co-NP hard. 

We remark that if we do not require the arity of the predicate symbols in $ 
to be bounded, then we must replace nf by co-NEXPTIME (co-nondeterministic 
exponential time) in parts (a) and (b) [Borger et al. 1997]. 

Theorems 3.1, 3.3, and 3.4 seem to suggest that the questions we are interested in 
are hopelessly intractable. Fortunately, things are not nearly as bad as they seem. 

4. IDENTIFYING TRACTABLE SUBLANGUAGES 

The work on Datalog and its variants mentioned in the introduction demonstrates 
that there arc useful, tractable fragments of first-order logic. In this section we 
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define Lithium, a fragment of first-order logic characterized by a different set of 
restrictions than those considered by the Datalog community show that these re- 
strictions lead to tractability, and argue that they are particularly well-suited to 
reasoning about policies. 

As a first step towards defining Lithium, we characterize the classes of envi- 
ronments and policies that are likely to occur in practice. A basic environment 
is an environment that is a conjunction of ground literals. Basic environments 
are sufficiently expressive to capture the information in databases and certificates. 
While this is adequate for many applications, basic environments cannot repre- 
sent general properties such as "every citizen of Germany is a member of the 
European Union". To capture these, we define a standard environment to be 
an environment that is a conjunction of ground literals and closed formulas of 
the form \/x\ . . .\/x n {l\ A ... A 4 => f-k+i), where £\, . . . J-k+i are literals. Each 
conjunct of a standard environment is an environment fact. Note that every ba- 
sic environment is a standard environment. A standard policy is a policy of the 
form Vxi . . . Vx n (£i A ... A 4 => Permitted(ti, t 2 )), where l\, . . . , £k+i are liter- 
als and both t\ and i 2 are terms of the appropriate sort. Standard environments 
and standard policies are sufficiently expressive for all of the applications that we 
have considered. A simple policy is a standard policy where none of the liter- 
als in the antecedent mentions Permitted. For example, Permitted(ti, i 2 ) => 
Permitted(ii, £3) is not a simple policy. 

A policy base is a formula of the form E A P, where E = E A E\ is a standard 
environment, E is a conjunction of ground literals, E\ is a conjunction of univer- 
sally quantified formulas, and P is a conjunction of standard policies. In the rest 
of the paper, when we write standard queries, we assume that the formulas E, Eo, 
Ei, and P satisfy these constraints (that is, E is a standard environment of the 
form Eq A E\] Eq is a basic environment; and so on). We are interested in charac- 
terizing policy bases E f\P for which it is tractable to determine whether the query 
EAP^- Permitted(4 1') is valid, where t and t' are terms of the appropriate sort. 
We call such a query a standard query. 

In the next section, we define a set of restrictions on standard queries that guar- 
antee that validity can be determined quickly. After presenting the restrictions, 
we evaluate the likelihood that the restrictions will hold in practice. In subse- 
quent sections, we relax each of the restrictions to accommodate a wider range 
of applications without sacrificing tractability. Roughly speaking, Lithium, which 
is formally defined in Section 4.2.5, is the set of standard queries that satisfy the 
relaxed restrictions. 



4.1 A Tractable Sublanguage 

We use the following terms to define the initial set of restrictions. A variable v is 
constrained in a clause c if v appears as an argument to Permitted in c. For exam- 
ple, both x and y are constrained in the clause VxVyVz(-iR(ir, z)VPermitted(x, y)); 
z is not constrained. Two literals I and I' are unifiable if there are variable substitu- 
tions a and a' such that la — l'u' . For example, R(x, Ci) and R(c 2 , y) are unifiable 
by substituting c 2 for x and Ci for y, while R(x, Ci) and R(y, c 2 ) are not unifiable 
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(if Ci and c 2 are distinct constants). Let / be a formula in CNF 2 and let £ be a 
literal in /. We say that £ is bipolar in / if there is another literal £' in / such that 
£ and ->£' are unifiable. The pair £, £' is called a bipolar pair. For example, consider 
the formula / = Vx(Permitted(x, nap) =>• Permitted( Advisor (x), nap)), which 
in CNF is Vx(-iPermitted(x, nap) V Permitted( Advisor (x), nap)). Because 
^Permitted(x, nap) [x/ Advisor (y)] = ^Permitted ( Advisor (x), nap) [x/y], the 
literals -iPermitted(x, nap) and Permitted(Advisor(x), nap) are bipolar in /; 
together they form a bipolar pair. 

Theorem 4.1. Let £5 consist of all standard queries of the form E A P => 
Permitted(t, t') such that 

(1) E is basic (i.e., E is a conjunction of ground literals), 

(2) there are no bipolar literals in P, 

(3) equality is not mentioned in E A P, and 

(4) every variable appearing in a conjunct p of P is constrained in p. 

The validity of formulas in £5 can be determined in time 0((|2£| + |P||Permitted(t, t')\) log |.E|) ; 
where \ip\ denotes the length of ip, when viewed as a string of symbols. 

Note that the language £5 includes formulas such as 

Student (Alice) A Good(Alice)A 
Vx(Student(x) => Permitted(x, work))A 

Vx(Student(x) A Good(x) => Permitted(x, play)) => Permitted(Alice, play) 

(may Alice play given that Alice is a student, Alice is good, all students may 
work, and all good students may play). Unlike Theorem 3.4(c), function symbols 
are allowed in Theorem 4.1. Moreover, there is no assumption that the arity of 
predicates and functions in the vocabulary is bounded. The price we pay for this 
added generality and for cutting the complexity to linear in the number of policies 
(which could well be large), linear in the length of the permission being considered 
(which is almost certainly small), and not much more than linear in the size of the 
database (which we expect to be relatively small, particularly in certificate-passing 
systems) is the four restrictions. We now discuss the likelihood that the restrictions 
will hold in practice; in subsequent sections we consider how the restrictions can 
be relaxed. 

As we have already said, basic environments are sufficiently expressive to capture 
the facts stored in databases and certificates. They are also sufficiently expressive 
for the library applications that we considered and for the policies that can be 
written in XrML or ODRL, since both languages assume a minimal environment 
containing facts such as the current time, the time of the most recent revocation 
polling, and the number of times that a particular subject has done a specific action 
(e.g., printing a file). It is true, however, that basic environments are not always 
enough. For example, the documents that describe who may collect Social Security 

2 We say that a first-order formula is in CNF if it has the form ci A . . . A c n , where each Ci has 
the form Qix\ . . . Qm^m(^p), each Qj S {V, 3}, and ip is a (quantificr-frcc) disjunction of literals, 
for i = 1, . . . , n and j = 1, . . . , m. Each ip is called a clause. We sometimes identify a universal 
formula in CNF with its set of clauses. 
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define an aged person to be anyone 65 years old or older, who is a resident of 
the U.S., and is either a citizen or an alien residing in the U.S. both legally and 
permanently. A basic environment cannot capture this definition. 

The second restriction, that there are no bipolar literals in P, is likely to hold 
if all the policies are permitting policies (that is, their conclusions have the form 
Permitted(£i, t%)) or all are denying policies (that is, their conclusions have the 
form ^Permitted^!, t 2 )). To see why, recall that a permitting policy says 'if the 
following conditions hold, then a particular action is permitted'. These conditions 
typically include requirements that someone possess one or more credentials, such 
as a library card or a driver's license. It is fairly rare that not having a credential, 
such as not having a driver's license, increases an individual's rights. Therefore, 
we do not expect credentials to correspond to bipolars. Similar arguments may be 
made for other types of information. 

If the policy set includes a mix of permitting and denying policies, then it seems 
less likely that the bipolar restriction will hold. For example, suppose that an 
individual may smoke if and only if she is over eighteen years old. We could write 
this statement as two policies 

pi = Va;(GreaterThan(age(x), 18) =>■ Permitted(x, smoke)) and 
P2 = Va;(-iGreaterThan(age(a;), 18) => -Permitted (a;, smoke)). 

Note that p\ is a permitting policy, p 2 is a denying policy, and every literal in p x Ap 2 
is bipolar in pi Ap 2 . 

The third restriction, that equality is not used, is satisfied by most of the poli- 
cies and environment facts that we collected. However, the restriction is vio- 
lated by threshold policies (e.g., "if Alice is blackballed by at least two people, 
then she may not join the club") and by statements that say two distinct names 
refer to the same individual (e.g., "Alice Smith = wifeOf(Bob Smith)" and 
"number of accesses = 7"). 

The last restriction, that every variable appearing in a policy p is constrained 
in p, holds if an individual is granted or denied permission based solely on her 
attributes and the attributes of the regulated action. Notice that the policies in 
Examples 2.1 and 2.3 have this form, but the policies in Examples 2.2 and 3.2 do 
not. In particular, whether the policy in Example 3.2 allows x\ to enter the stacks 
depends on an attribute of some other individual x 2 . 

Before relaxing the restrictions, we briefly discuss why they are sufficient for 
tractability. The first three restrictions allow us to consider each policy individually, 
that is, E A P => Permitted(i, t') is valid iff E A p => Permitted(t, t') is valid for 
some conjunct pin P. 

PROPOSITION 4.2. Suppose that E AP => Permitted(f,i') is a standard query 
in which E is basic, the equality symbol is not mentioned in E AP , and there are 
no bipolars in P. Then E A P => Permitted(i, t') is valid iff there is a conjunct p 
of P such that E Ap => Permitted(i, t') is valid. 

If the last restriction holds, then we can determine quickly whether E A p => 
Permitted(i, t') is valid for some conjunct p of P. 
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4.2 Relaxing the Restrictions 

In this section, we consider the extent to which we can relax the four restrictions 
given in Theorem 4.1, while still maintaining tractability. We consider each of the 
restrictions in turn. 

4.2.1 Beyond Basic Environments. There is an obvious generalization of Theo- 
rem 4.1: we simply remove the first restriction and replace every reference to P with 
Ei A P, where E\ is the conjunction of universal statements in E. This results in 
three restrictions: there are no bipolar literals in E\AP, equality is not mentioned in 
Ei AP, and every variable appearing in a conjunct c of E\ AP is constrained in c. Un- 
fortunately, because Permitted does not appear in the environment, the variable 
restriction holds only if the environment has no quantification. In addition, we can 
prove that, if there are no bipolar literals in EiAP, then E AP => Permitted(t, t') 
is valid if and only if E is inconsistent orBpAP^ Permitted(t, t') is valid, where 
Eq is the conjunction of ground literals in E. This means that a universal state- 
ment in the environment can affect the validity of a query only if it makes the 
environment inconsistent. To support interesting universal statements in the envi- 
ronment, we must relax the restrictions on bipolar literals and variables, which we 
do in Sections 4.2.2 and 4.2.4, respectively. 

4.2.2 Relaxing the Bipolar Restriction. If we allow bipolar literals in E\ A P, 
then a permission might follow from a set of policies without following from any 
single policy. In other words, the conclusion of Proposition 4.2 might not hold. 

Example 4.3. Consider two policies pi and p 2 , where p\ says "Alice may cry 
if she is happy" and p 2 says "Alice may cry if she is not happy". Formally, 

Pi = Happy(Alice) => Permitted(Alice, cry) and 
p 2 = ^Happy(Alice) => Permitted(Alice, cry). 

Clearly, pi => Permitted(Alice, cry) is not valid, because Alice might not be 
happy. Similarly, p 2 => Permitted(Alice, cry) is not valid, because Alice might 
be happy. But pi Ap 2 => Permitted(Alice, cry) is valid, because Alice is either 
happy, in which case she may cry by pi , or she is not happy, in which case she may 
cry by p 2 . So Alice's right to cry doesn't follow from either policy individually, but 
follows from both policies together, essentially because p\ A p 2 includes the bipolar 
pair (Happy ( Alice), -iHappy( Alice)). | 

Example 4.3 shows how we can use bipolar literals to infer a statement, namely 
Alice may cry, from two clauses, namely p\ and p 2 . Resolution [Nerode and 
Shore 1997] generalizes the reasoning in this example. To understand how res- 
olution works, let c be the clause Mx\ . . . Mx n (£ =>• d) and let c' be the clause 
Vx[ . . .Vx' m (£' d'), where I and £' are literals. Suppose that a and a' are variable 
substitutions such that la = -ii'a'. It is easy to see that cAc'^daM d'a' is valid. 
Using standard terminology, we call c and d the parents of the resolvent da V d'a' , 
and we say that c and d resolve on ia to create da V d'a'. 3 The closure under 



3 Actually, the resolvent is created using a particular substitution, called a most general unifier, 
which is essentially the substitution that replaces variables with constants only when necessary. 
For example, the most general unifier for c = Vj/(-iR(2/) => S(y)) and d = \/x(R(f(x)) =>• S(g(x))) 
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resolution of a universal formula /, denoted R(f), is the smallest set of clauses that 
includes the clauses in / (when / is in CNF) and is closed under resolution, that 
is if e is the resolvent of two distinct clauses in R(f), then e is in R(f). Roughly 
speaking, the resolvents in R(f) are all the clauses that can be inferred from the 
clauses in /. 

Our interest in resolution is motivated in part because we can prove that a stan- 
dard query q of the form E AE\ AP => Permitted (t, t') that does mention equality 
is valid iff there is a clause c € R(E\ A P) such that E A c ^> Permitted(t, t') is 
valid. The role of the bipolar restriction in the language £5 is also best understood 
in the context of resolution. Part of our approach to guaranteeing tractability in- 
volves keeping R(E\ A P) small. If there are no bipolar literals in E\ A P, then 
R(Ei A P) includes only the conjuncts of E\ and P; there arc no resolvents. Wc 
can also prove that R(Ei A P) is still fairly small if each conjunct in E A P has at 
most one bipolar literal. As a result, we maintain tractability if there is at most 
one bipolar literal in each conjunct (sec Theorem 4.7). However, if even a single 
conjunct of E\ A P has two bipolars, and the other conjuncts have at most one 
bipolar each, then R(Ei A P) can be infinite. 

Example 4.4. Suppose we have two policies; the first is "Alice may play" and 
the second is "for all individuals x\ and X2, if Xi may play and xi is x\ 's boss, then 
x 2 may play". We can write these policies as 

pi = Permitted(Alice, play) 

p 2 = VxiVx2(Permitted(xi, play) A BossOf (x 2 , x\) => Permitted (a; 2 , play)) 
It is not hard to see that for any integer n, the closure of pi Ap 2 includes the clause 
( W ^BossOf (xi, Xi-i)) V -iBossOf (2:0, Alice) V Permitted(x„, play), 



which says that if x is Alice's boss, x\ is x 's boss, . . . , and x n is x n -\ 's boss, 
then x n may play. | 

While many policy bases that arise in practice have no more than one bipolar 
literal in each clause, we have found two relatively common situations in which this 
is not the case. The first is when policies refer to properties that are, intuitively, 
defined in the environment. The second is when the policy set includes both per- 
mitting and denying policies (that is, the set has policies with Permitted in the 
conclusion and policies with -Permitted in the conclusion). 

To see why the bipolar restriction might be violated in the presence of defini- 
tions, consider a video store that has three types of customers: regular, gold, and 
platinum. Every adult member is permitted to send queries to the store's helpdesk, 
where adulthood is defined by the state in which the individual resides. In New 
York, an individual is an adult if she is over twenty-one years old. In Alaska, an 



substitutes f(x) for y, instead of substituting Alice for x and f (Alice) for y. So, the resolvent of 
c and d is Vx(S(f (x)) V S(g(x))). (See [Nerode and Shore 1997] for details.) 
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individual is an adult if she is over eighteen. Formally, 

Pi = Mx (Adult (x) A Member(i) =>• Permitted(x, query helpdesk)) 

d = Vz(Over21(a;) A InNY(i) => Adult (a;)) 

e 2 = Va;(Overl8(a;) A InAK(x) Adult (ar)) 

e3 = Va;(RegMember(.x) => Member(x)) 

e 4 = Vx(GoldMember(a;) => Member(x)) 

e 5 = Vx(PlatinumMember(a;) => Member(a;)) 

Roughly speaking, ei and e 2 define the notion of being an adult, while e^, e^, 
and e§ define the notion of being a member. These definitions are used in p\ to 
regulate who may send queries to the helpdesk. It is easy to see that p\ has two 
bipolar literals in p\ A e\ A . . . A e$, namely Adult (x) and Member (x) Therefore, 
the bipolar restriction does not hold in this example. More generally, if a policy p 
mentions k terms that are defined in the environment, then p will include k bipolar 
literals. 

Definitions in this spirit arise frequently in government legislation, including the 
Social Security database and the Privacy Rule. Thus, handling definitions is a mat- 
ter of practical importance. Perhaps the simplest approach is to rewrite the policy 
Pi so as to replace the defined predicates in the antecedent by their definitions. This 
will result in an equivalent policy base with no bipolars. The effect of replacing 
Adult and Member by their definitions in our example is to replace p\ by the six 
policies in Pny U Par, where 

Pny = {Vx(Over21(a;) A InNY(i) A Pr(.x) Permitted(a;, query helpdesk)) : 
Pr G {RegMember, GoldMember, PlatinumMember}} 

Par = {Vx(Overl8(a;) A InAK(ar) A Pr(x) => Permitted(x, query helpdesk)) : 
Pr G {RegMember, GoldMember, PlatinumMember}} 

Notice that there are no bipolars in /\ pe p NYU p AK P and the policies permit the same 
actions as p\ A ei A . . . A e 5 . 

Our translation illustrates a potential problem with this approach: it can blow 
up the size of the policy set. Suppose that a policy p has m bipolar literals and 
that literal i is defined using q clauses. Rewriting would result in replacing policy 
p by C\ x • • • x c m policies. Each of the new policies can also be longer than p, 
although the total length of each one can be no more than \Ex\, where E x is the 
first-order part of the environment. Is this so bad? Examples in the social security 
database and in the Privacy Rule suggest that typically m is less than three and i 
is less than five, in which case definitions do not significantly reduce the efficiency 
of our procedures. 

In practice, we can often improve efficiency by removing definitions that are 
irrelevant when answering queries in a given environment. Continuing our earlier 
example, suppose that E is the environment that results from Alice by presenting 
certificates that show she is a regular member who is over eighteen and in Alaska 
(i.e., E = RegMember(Alice) A Overl8(Alice) A InNY (Alice)). It is easy to 
see that we can remove ei, e^, and es without changing the set of permissions that 
are implied by the policy base. In practice, we believe that this single optimization 
will usually result in each a being one (i.e., every predicate is defined by at most 
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one clause) , in which case our approach to handling definitions does not increase the 
number of policies mentioned in the query. As an aside, this optimization is one of 
many that are well-known in the theorem-proving community. We suspect that, by 
applying the appropriate optimizations, we can answer queries substantially faster 
than is indicated by the worst-case complexity results given in Theorem 4.7. 

We next show how we can deal with policy bases that have both permitting and 
denying policies. This task would be easy if we could consider only the permitting 
policies (ignoring the denying policies) when determining if an action is permitted. 
Unfortunately, if we do this, then we might not answer queries correctly. 

To see why, consider an environment E that says "Alice is a student" and a policy 
set V = {pi,P2,P3j-, where pi says "faculty members may chair committees", P2 
says "students may not chair committees" , and p% says "anyone who is not a faculty 
member may take naps" . We can write these policies as 

Pi = Vx (Faculty (x) =>■ Permitted(x, chair committees)), 
P2 = Va;(Student(x) =>■ -iPermitted(a;, chair committees)), 
P3 = Va:(->Faculty(a:) => Permitted(ir, nap)). 

Clearly, p\ and P3 are permitting policies and p2 is a denying policy. Because p\ 
is equivalent to Vx(-Permitted(x, chair committees) =>■ -i Faculty (a;)), p\ and P2 
together imply that no student is a faculty member. (Intuitively, students cannot 
be faculty members, because no one can be both permitted and not permitted 
to chair committees.) Because students are not faculty members, Alice, being a 
student, is not a faculty member and, by p 3 , may take a nap. We cannot determine 
that Alice may nap if we consider only the permitting policies, because to derive 
the permission we need the environment fact that is implied by p\ I\p2- 

If each fact implied by a permitting and denying policy together were deriv- 
able from either the environment or a single policy, then we could separate the 
permitting policies from the denying policies. Intuitively, this is because the in- 
teraction would not provide any information that was not already known. To 
formalize this intuition, note that each implied fact corresponds to a resolvent of 
a permitting and denying policy. In the previous example, the implied fact that 
students are not faculty members corresponds to the resolvent of p\ and p 2 , namely 
Vx(Faculty(a;) =4- -iStudent(a;)). Therefore, if every resolvent of a permitting and 
denying policy is already implied by the environment or a single policy, then we 
can separate the policies. Continuing our example, we could separate the policies 
if the environment said that students were not faculty members. A closer analysis 
shows that we need to consider only those resolvents that are created by resolving 
on a literal that mentions Permitted. 

To formalize all this, we need to discuss permitting and denying policies in a bit 
more detail. Note that a policy such as Vx(Permitted(Alice, a) =4- Permitted(Bob, 
is logically equivalent to both a permitting policy and a denying policy. (The deny- 
ing policy is Vx(-iPermitted(Bob, a) =>• -iPermitted(Alice, a)).) We say that a 
policy is pure if it is not logically equivalent to both a permitting and a denying 
policy. For example, policies that do not mention Permitted in the antecedent 
(which is the case for almost all the policies we have collected) are guaranteed to 
be pure. 
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Theorem 4.5. Suppose that E is a standard environment, P is a conjunction of 
pure permitting policies, and D is a conjunction of (not necessarily pure) denying 
policies such that, for every resolvent f created by resolving a conjunct of P and a 
conjunct of D on a literal that mentions Permitted, either E =>■ / is valid or q =>- / 
is valid for some conjunct q of PAD. Then, for all terms t and t' of the appropriate 
sort, E A P A D =>■ Permitted(t, t') is valid iff E AP => Permitted(i, t') is valid. 

We can always add clauses to a policy base to obtain an equivalent policy base 
that satisfies the antecedent of Theorem 4.5. Therefore, the key question is not 
"how likely are these conditions to hold in practice" , but "how many clauses are 
we going to have to add in practice so that these conditions hold". Example 4.4 
shows that we may need to add an infinite number of policies to the set. However, in 
practice, policies are often simple. (Recall that a policy p is simple if the antecedent 
of p does not mention Permitted.) If every policy in a policy base is simple, then 
every resolvent is an environment fact and there is, at most, one resolvent per pair 
of permitting and denying policies. So, if the policy base mentions n policies, all 
simple, then we can satisfy the antecedent of Theorem 4.5 by adding at most n 2 
clauses to the environment. 

Adding clauses to the environment, however, can have an unfortunate con- 
sequence. Suppose that E, P, and D are as defined in Theorem 4.5 and E' 
is E extended so that the antecedent of Theorem 4.5 holds. Then the policy 
bases E' A P and E' A D might violate the bipolar restriction, even if E A P 
and E A D do not. To illustrate the problem, recall our earlier example in which 
policy pi says "faculty members may chair committees", P2 says "students may 
not chair committees", and p% says "anyone who is not a faculty member may 
take a nap". Consider a policy set that consists of pi, p2, P3, and a policy p^ 
that says "anyone who is not a student may not enter the student-only website" 
(Vx(-iStudent(x) =>■ -iPermitted(a;, enter student site))). To satisfy the con- 
ditions of Theorem 4.5, we could add a clause e to the environment that says "stu- 
dents are not faculty" (e = Vx(Students(x) => -iFaculty(x)). By Theorem 4.5, 
we can now separate the permitting and denying policies. However, determining if 
a permission is denied might be an intractable problem because the denying policies 
together with e violate the bipolar restriction; e has two bipolar literals in eAp2 Ap±. 

In this example, we can avoid the problem by satisfying the antecedent of The- 
orem 4.5 in another way. Rather than adding e to the environment, we could replace 
pi by the policy p[ = Vx(Faculty(x)A-'Student(x) => Permitted(x, chair committees), 
which says that faculty members who are not students may chair committees. Note 
that every clause in p' x A p% has at most one literal that is bipolar in p[ A ps, and 
every clause in p 2 A p4 has at most one literal that is bipolar in p 2 A p±. So the 
antecedent of Theorem 4.5 holds and the resulting policy bases satisfy the bipolar 
restriction. We suspect that, in practice, a policy base E A P A D either satisfies 
the bipolar restriction or can be converted to an equivalent policy base E' AP AD 
that satisfies the antecedent of Theorem 4.5 and has the property that both E' AP 
and E' AD satisfy the bipolar restriction. We have not, however, done an extensive 
check. 

Instead of adding these clauses to the environment automatically, it might be 
better to verify the changes with the policy maker. To see why, recall the two 
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policies "faculty members may chair committees" and "students may not chair 
committees". We could satisfy the antecedent of Theorem 4.5 by adding the fact 
"no student is a faculty member" to the environment. But suppose that there is 
(or could one day be) a student who is also a faculty member. Then the policy 
maker may want to revise the policies to take this into account, rather than allowing 
the environment to (possibly) become inconsistent. In general, we expect that the 
additional facts needed to satisfy the antecedent of Theorem 4.5 will be ones that 
either the user would agree should have been there all along or are ones that should 
not be there and in fact suggest that the policies should be rewritten. 

4.2.3 Dealing With the Equality Restriction. To explain how we can relax the 
equality restriction, we need two definitions. We say that a standard query q 
of the form Eq A E\ A P => Permitted(t, t') is equation-free if no conjunct of 
Eq A Ei A P, when written in CNF, has a disjunct of the form t = t'. (Note that an 
equation- free query may mention equality in its antecedent, but only in the scope 
of negation when the antecedent is written in CNF. Thus, for example, the query 
a b A (c = d Permitted(t, t')) => Permitted(i, t') is equation-free.) It is 
easy to see that Theorem 4.1 applies to equation- free queries; it is only positive 
occurrences of = that cause problems. 

We can actually go slightly beyond equation-free queries. If Fq is the conjunction 
of equality statements in Eq, then q is equality-safe provided that E\ A P (when 
written in CNF) has no clause with a disjunct of the form t = t' and it is not the 
case that Fq => t = t' is valid, where t and t' are closed terms that appear in Eq and 
either t is a subterm of t' or both t and t' mention function symbols. For example, q 
is not equality-safe if E includes the conjunct c = f(c), the conjunct f(c) = f'(c'), 
or both f(c) = c' and c' = f'(c') (since these together imply f(c) = f'(c')). 

Note that the notion of equality-safe is a generalization of equation-free; an 
equality-safe query can have some conjuncts in E where equality does not ap- 
pear in the scope of a negation, as long as not too much can be inferred from 
those equality statements. The following proposition shows that we can efficiently 
convert an equality-safe query q to an equation-free query q' such that q is valid 
iff q' is valid. Thus, we can determine the validity of an equality-safe query by 
first transforming it to an equation-free query and then applying the techniques 
discussed previously. 

Proposition 4.6. If q is an equality-safe standard query, then there is a stan- 
dard query q' of the form E' A E[ A P' => Permitted(t, t') such that (a) q is valid 
iff q' is valid, (b) q' is equation- free, and (c) \q'\ — 0{\q\\L' q ), where L' q is the length 
of the longest term in q. Moreover, we can find such a q' in time 0(\q\). 

Example B.8 in the appendix illustrates the procedure for converting q to q', and 
shows the problems that arise if we allow queries that are not equality-safe. The 
example also shows that the transformation procedure can increase the number of 
bipolar literals. Since we need to restrict the number of bipolars for tractability, 
our theorems must refer to the number of bipolars after the transformation. We 
say that i and £' are unifiable relative to a set E of equality statements if there are 
variable substitutions a and a' such that it follows from E that to — I ' & '. For ex- 
ample, P(a) and P(b) are unifiable relative to a = b, and Permitted(Alice, nap) 
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and Permitted(wifeOf (x), nap) are unifiable relative to Alice = wifeOf(Bob). 

Similarly, we can talk about a literal I being bipolar in a formula / relative to E. 
If every conjunct in E\ A P has at most one literal that is bipolar in E\ A P relative 
to the equality statements in Eq, then after the transformation each conjunct will 
have at most one bipolar literal, which is what we need for tractability. 

As we show in Theorem 4.7, we can handle equality-safe formulas. This suffices 
to handle the use of equality in all of the library and government policies that we 
collected, as well as the uses of equality in XrML and ODRL. 

4.2.4 The Effect of Unconstrained Variables. Let q be a standard query of the 
form Eo A E\ A P =^> Permitted (t, t') that satisfies the four restrictions of Theo- 
rem 4.1 (possibly relaxed as discussed in Sections 4.2.2 and 4.2.3). These restric- 
tions essentially guarantee that (a) q is valid if and only if there is a clause c in 
R(Ei A P) such that E A c => Permitted(t, t') is valid and (b) R(E 1 A P) is 
relatively small. (This is made precise in Section 4.2.5.) The role of the variable 
restriction is to ensure that, for each c in R(E\ A P), we can quickly determine 
whether £oAc=> Permitted(i, t') is valid. We now relax the variable restriction 
in a way that preserves this property. 

Let c be a conjunct of E\ A P. A variable v is constrained in c relative to q if v 
appears as an argument to a literal that mentions Permitted, is a disjunct of c, 
and is not bipolar in E\ AP relative to the equality statements in Eq. For example, 
consider the query "may Alice read file A" given that Alice is Ms. Jones, Alice may 
copy any file to any destination, and if Ms. Jones may copy a file to a destination, 
then she may read that file. We can write this query as 

q = (Alice = Ms. Jones) Api Ap2 => Permitted(Alice, Read(file A)), 

where 

Pi = VxiVa;2(Permitted(Alice, copySrcDst(xi, x 2 ))), and 

P2 = Va;iVa;2(Permitted(Ms. Jones, copySrcDst(iri, x 2 )) => Permitted(Ms. Jones, Read( 

Note that Permitted(Ms. Jones, Read(xi)) is the only literal in p\ Ap 2 that is 
not bipolar in pi Ap 2 relative to Alice = Ms. Jones. It follows that no variable is 
constrained in p\ relative to q; X\ is constrained in p 2 relative to q; and x 2 is not 
constrained in p 2 relative to q. 

If every literal in every conjunct c of E\ A P mentions at most one variable 
that is not constrained in c relative to q, then it is not hard to show that every 
literal in every clause d in R{Ex A P) mentions at most one variable that is not 
constrained in c'. (Recall that a variable is constrained in a clause c, as opposed 
to being constrained in c relative to a query, if it appears in c as an argument 
to Permitted). It turns out that this property is sufficient to ensure that we can 
quickly determine the validity of Eq A c =>• Permitted(i, t') for each c in R(E\ A P) . 
It can also be shown that if every conjunct c of E\ A P mentions at most k variables 
that are not constrained in c relative to q, then every clause c in R(EiAP) mentions 
at most 2k variables that are not constrained in c. In this case, it can be shown 
that the validity of E A c => Permitted(t, t') for a clause c in R(Ei A P) can 
be determined in time exponential in 2k. (All these claims are made precise in 
Theorem 4.7.) It follows that if k is less than three, which is likely to be the case 
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in practice, then we can remove the variable restriction entirely and still answer 
queries in a reasonable period of time. 

4.2.5 Putting It All Together. With all this machinery, we can finally define the 
fragment of first-order logic that we believe to be appropriate for expressing policies. 
Lithium consists of all equality-safe standard queries EqAEi/\P => Permitted(t, t') 
such that every conjunct in E\ A P has at most one literal that is bipolar in E\ A P 
relative to the equality statements in Eq. 

We can quickly determine whether a query q is in Lithium. To determine if q is 
equality-safe, we create equivalence classes for the terms in Eq, which takes linear 
time, and then verify that each class has at most one term that is not a constant, 
which also takes linear time. To determine if the bipolar restriction holds, we choose 
a term from each equivalence class to represent the class (choosing a term that is 
not a constant if possible) and replace each term in the query by its representative. 
The bipolar restriction holds if each conjunct c of E\ A P has at most one literal 
that is bipolar in E\ A P, which we can check in quadratic time. 

The discussion in Sections 4.2.1, 4.2.2, and 4.2.3 suggests that queries in Lithium 
are tractable. The following theorem makes this precise. We prove the theorem only 
for equation-free Lithium queries, but by Proposition 4.6, it applies to equality-safe 
queries as well (although the complexity statements would have to be changed to 
take into account the possible increase in size when converting from equality-safe 
to equation- free queries). 

Let Lf be the length of the longest clause in a CNF formula /, and let ZA be the 
length of the longest term in /. 

Theorem 4.7. The validity of an equation-free Lithium query q = EqAEiAP =^> 
Permitted(t, t') with m terms in E can be determined in time O((|£o| + T\Ei A 
P\ 2 ) log |-Eo|); where T = mLE 1 ApL' E AP |Permitted(t, t')\ if every literal in every 
conjunct c of E\ A P mentions at most one variable that is not constrained in 
c relative to q; otherwise, T — m 2k LE 1 /\pL' EiAP \Permitted(t, t')\, where every 
conjunct c of E\ A P has at most k variables that are not constrained in c relative 
to q. 

Theorem 4.7 shows that Lithium is tractable. Is it sufficiently expressive? The 
bipolar restriction holds in all of the applications that we considered, provided that 
definitions and mixed policy sets are handled as described in Section 4.2.2. We be- 
lieve that our examples are representative, and that in fact the restriction will hold 
in practice. The restriction to equality-safe queries is likely to hold for applications 
that do not include a threshold policy; that is, a policy of the form "if k instances 
of P hold then subject t\ may do action i"\ If an application includes threshold 
policies, then the restriction is still likely to hold provided that the environment 
stores the number of relevant instances of P that hold rather than the instances 
themselves. For example, the threshold policy "if two people blackball Alice, then 
she may not join the club" can be written in Lithium if the environment stores the 
number of people who blackball Alice (e.g., numOfBlackballers = 2), instead of 
who blackballs Alice (e.g., Blackballs (Bob, Alice) A Blackballs (Carol, Alice)). 
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5. CONSISTENCY 

Recall that a policy set is inconsistent if it both permits and forbids the same action. 
By detecting inconsistencies, we can warn policy writers that their policies probably 
do not match their intentions. We expect that this ability will be particularly 
important if the policy set is large or if it is created and maintained by more than 
one person. In addition, we can verify that a policy base P is consistent with a 
policy base P' by checking that PUP' is consistent. For example, suppose that 
access to a patient's medical file is regulated by the hospital's policies and state 
law. If the union of the two policy bases is consistent, then the hospital's policies 
do not contradict state law. (Note that the converse is not necessarily true.) 

Clearly, E A P is not consistent iff both E A P => Permitted(c, c') and £AP=^ 
^Permitted(c, c') are valid, for arbitrary constants c and c'. Thus, if the two 
queries are in Lithium, then we can apply our previous techniques to show that we 
can efficiently check consistency. However, we can say even more. If the condition 
of Theorem 4.5 (or the corresponding condition for determining prohibitions) is 
met, then we automatically have consistency, provided that E is consistent. 

Theorem 5.1. Suppose that E is an environment, P is a conjunction of pure 
permitting policies, and D is a conjunction of (not necessarily pure) denying policies 
such that the antecedent of Theorem 4-5 holds. Then E A P A D is satisfiable iff E 
is satisfiable. 

Thus, in addition to making it feasible to check the consequences of policies, our 
conditions essentially prevent users from writing inconsistent policies. This is a 
major benefit of adhering to these restrictions! 

6. USABILITY 

In this section, we consider ways to make Lithium accessible to people who are 
not conversant with first-order logic. The restrictions on bipolars and equality in 
Lithium might be difficult to explain to non-logicians, but we suspect that teaching 
people to write standard queries can be done quickly, particularly if syntactic sugar 
is used to help the medicine do down. 

We are currently designing usability tests to verify that computer programmers 
can learn to translate English sentences to standard (sugared) queries quickly. The 
"sugaring" involves, for example, rewriting "Vxi . . .\/x n (£i A ... A Ik => ^fc+i)" as 
"typei xi; . . . , typei x n ;if l\ and ... and Ik then £k+i" , where typei is the 
sort of variable Xi. We are focusing on programmers because, if this community can 
read and write queries, then they can build user interfaces for other communities, 
along with translators that convert user input to queries. Of course, input entered 
through a user interface can also be translated directly to a (non-sugared) standard 
query. For example, it should be possible to write a form-based interface that allows 
users to enter queries, which can then be translated directly to Lithium. Such a 
form-based interface was sketched in the conference version of the paper [Halpern 
and Weissman 2003]. We have not pursued it because we feel it is better to write 
an interface for programmers. 

The key question is how we should explain the bipolar and equality restrictions to 
policy writers. One option is to define a fragment of Lithium that is easy to explain 
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to non-logicians and fairly expressive. For example, let S be the set of standard 
queries in which the environment is basic (a conjunction of Permitted-free liter- 
als), the policies are simple (Permitted is not mentioned in the antecedent), and 
the antecedents of policies are negation-free. It is easy to see that every query in S is 
in Lithium. Another example is Rosetta [Weissman and Lagoze 2004] . Rosetta is a 
fragment of (somewhat stilted) English in which queries can be written. All queries 
that can be expressed in Rosetta are guaranteed to be convertible to Lithium. Fi- 
nally, graphical interfaces can be designed in such a way that every query written 
using the interface can be translated to Lithium. We conjecture that the Infor- 
mation Rights Management system that is part of Microsoft's Office, Professional 
Edition 2003 [Microsoft 2003] is an example of this approach, although we have 
not verified that all policies written through these interfaces satisfy the bipolar and 
equality restrictions. In short, we believe that, for many applications, there is a 
fragment of Lithium that is both sufficiently expressive and accessible to users with 
minimal training. Which fragment is appropriate depends on the capabilities of the 
users and the needs of the application. 

Another approach is to give policy writers guidelines and tools to help them 
write policy bases that satisfy our requirements. For example, we might suggest 
that policy writers try to minimize their use of negation, equality, and universal 
formulas in the environment. We can provide tools to check if proposed policy 
bases are likely to lead to queries that are in Lithium. In practice, we expect policy 
writers to define the universal formulas in the environment and the policies (i.e., 
E\ AP); individuals then present certain credentials (i.e., E ) along with a request 
(i.e., Permitted(t, t')). In this setting, we can check if the bipolar restriction and 
equality restriction are satisfied by E\ A P and, if so, we can conclude that every 
query of the form E A E\ A P => Permitted(i, t') is in Lithium provided that E 
is equality-free. This allows us to identify potential problems at "compile time" 
and alert the policy writer, who might then choose to change the policies and 
environment to more closely adhere to the guidelines. 

Perhaps the simplest solution is to not do anything at all. We believe, and have 
argued throughout this paper, that queries in practice are likely to be in Lithium. So 
users might not need to understand the restrictions on bipolar literals and equality, 
because they will naturally write queries that satisfy our requirements. We can 
build a verifier to check that a user's query is either in Lithium or can be converted 
to Lithium using the techniques discussed in Section 4.2.2. If a query is in Lithium, 
then the user is assured that her question will be answered efficiently. Otherwise, 
the verifier issues a warning. The warning could be ignored since our algorithm for 
answering queries might still run efficiently or, since warnings are likely to be rare, 
an expert could be consulted. 

We expect that all of these strategies will allow naive users to express their queries 
in Lithium easily. It is up to the application developers to decide which approach 
is best in their setting. 

7. RELATED WORK 

There has been a great deal of work on policy languages. Since we cannot hope to 
review all of the work in only a few pages, we restrict our attention to some of the 
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best-known approaches and to those that seem most similar to Lithium. 

The classic approach in the Computer Science community is arguably the one 
taken by UNIX. Every policy in UNIX can be expressed as a formula of the 
form Vx(R(x,r) => Permitted(x, act(r))), where R e {User, Group, Other}, 
act e {read, write, execute}, and r is a constant typically representing a file 
or directory. The corresponding environment can be written as a conjunction of 
ground literals. It is easy to see that every query in UNIX can be written in Lithium. 
However, the UNIX approach to answering a query is somewhat different than that 
taken by Lithium. UNIX assumes that every action not explictly permitted is for- 
bidden. Thus, with an empty environment {true), the UNIX response to the query 
^Permitted(Alice, read(file f )) would be yes, while the Lithium response would 
be no (it does not logically follow from true that Alice is not permitted to edit file 
f. We can modify Lithium to give the same answers to queries as UNIX, simply 
by saying that the answer to a query of the form -Permitted^, t') given a policy 
base b is yes iff b => Permitted^, t') is not acceptably valid; that is, a prohibition 
holds if and only if the corresponding permission does not. Since we know how 
to determine whether a permission holds, we can determine if a prohibition holds 
according to the revised definition. This modified version of Lithium can also cap- 
ture the way policies are evaluated using access control lists. We believe that we 
can also capture whether a permission follows in SPKI/SDSI [Ellison et al. 1999a; 
1999b] from a collection of certificates in Lithium, although we have not checked 
the details. 

Perhaps the most talked-about policy language in industry today is the XML- 
based language XACML [Moses 2005]. Every XACML query can be written as 
a standard query in which all policies are simple (the antecedents of policies are 
Permitted-free) and the environment is basic (a conjunction of Permitted-frcc 
ground literals). There are two significant differences between XACML and Lithium. 
The first is that users of XACML are expected to provide an algorithm for deter- 
mining whether a permission is granted, denied, or unregulated by a policy base, 
as a function of whether the permission is granted, denied, or unregulated by the 
individual polices in that policy base. For example, the deny- overrides algorithm 
(which is one of the built-in algorithms provided by XACML) says a permission is 
denied if it is denied by any single policy, is permitted if it is not denied by any sin- 
gle policy and is permitted by at least one, and is unregulated otherwise. Lithium 
essentially allows only one algorithm, which is logical consequence (a choice which 
cannot in fact be expressed in XACML, since it may depend on the interaction be- 
tween the policies in a policy base). We could, of course, modify the way Lithium 
handles queries to match any particular algorithm, although doing this may result 
in losing many of the unique features of Lithium. 

The second key difference between XACML and Lithium is the treatment of 
negation. In XACML, the semantics of negation is somewhat nonstandard. For 
example, in XACML, the policies "if Alice is good, then she may play" and "if 
Alice is not good, then she may play" together do not necessarily imply that Alice 
may play. The policies imply the permission only if the environment says either that 
Alice is good or that she is not good. So, given a set of XACML policies, we can 
replace every literal of the form ->R(ti, . . . , t n ) by NotR(ti , . . . , t n ), where NotR 
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is a fresh predicate symbol, without changing the meaning of the policies. Thus, 
although XACML seems to allow the unrestricted use of negation, it is actually 
less expressive than Lithium in its use of negation. Moreover, we believe that the 
nonstandard usage of negation may well confuse users. 

Another XML-based language that has received widespread support in industry 
is XrML [ContentGuard 2001]. XrML and Lithium are incomparable in expressive 
power. XrML is less expressive in that it does not allow negation. This means 
in particular that it cannot express denying policies and cannot capture a policy 
that grants a permission based on whether a condition docs not hold. In addition, 
the conclusion of every environment fact that is not a ground literal is of the form 
R(p), where R is a unary predicate symbol and p is a principal. On the other hand, 
XrML is more expressive than Lithium in that a policy can grant a permission 
based on the answers to various queries. For example, in XrML, Alice's babysitter 
can write the policy "Alice is permitted to do some action a if the permission 
follows from her mother's policies and from her father's policies" . We can extend 
Lithium to include such policies as well. Let Lithium" 1 " be Lithium extended with 
a Val operator, where Val(^) is true if ip is valid. We can write the babysitter's 
policy in Lithium" 1 " as Va;(Val(_EM APm => Permitted (Alice, a;)) A Val (Ed APd => 
Permitted(Alice, x)) => Permitted( Alice, x)), where Em APm and EdAPd are 
the policy bases of Alice's mother and father respectively. We can place restrictions 
on Lithium" 1 " similar in spirit to those on Lithium to ensure that it is tractable, yet 
expressive enough to capture the policies that users want in practice; see [Halpern 
and Weissman 2004] for details. 

The policy languages that are perhaps closest in spirit to Lithium are the ap- 
proaches that are based on some variant of Datalog. Examples of such languages 
include Delegation Logic [Li et al. 2003], the RT (Role-based Trust-management) 
framework [Li et al. 2002], Binder [DeTreville 2002], SD3 [Jim 2001], FAF (Flex- 
ible Authorization Framework) [Jajodia et al. 2001], and Cassandra [Becker and 
Sewell 2004]). Datalog is an efficient well-understood reasoning engine that is re- 
stricted to function-free negation-free Horn clauses; these restrictions are made to 
ensure tractability. The variants, such as safe stratified Datalog [Garcia-Molina 
et al. 2002] or Datalog with constraints, allow limited use of functions and negation 
while preserving tractability. 

The main difference between Lithium and these Datalog-bascd languages is in 
the use of functions and negation. There are relatively few policy languages that 
include functions symbols, but those that do (e.g. [Bertino et al. 1998; Li and 
Mitchell 2003; Becker and Sewell 2004]) seem to favor Datalog with constraints. By 
using this variant of Datalog, many structured resources, such as directories, can be 
expressed using functions. However, function symbols may not appear in intentional 
predicates (predicates whose relations are computed by applying Datalog rules, as 
opposed to being stored in a database). For example, the policy "every authorized 
individual may copy a classified file from one secure server to another" when written 
as 

Mx\ . . . Vx 4 (Auth(xi) A Classified^) A Secure_Server(x3) A Secure.Server^) 
=> Permitted(xi, copySrcDst(x2, x%, x±))) 

is not in Datalog with constraints. Also, for tractability, additional restrictions 

ACM Transactions on Computational Logic, Vol. V, No. N, February 2008. 



Using First-Order Logic to Reason about Policies • 23 

are often made. For example, Li and Mitchell [2003] do not allow formulas in 
constraints to have more than one variable and Becker and Sewell [2004] require 
that every argument of a function in a query be variable-free. 

There are a number of policy languages that allow a limited use of negation. 
Jajodia, Samarati, Sapino, and Subrahmanian [2001] base their policy language 
on Datalog with negation, which is a variant of Datalog that allows unrestricted 
use of negation in the body of rules. Datalog with negation is tractable because 
it makes the closed-world assumption: if we cannot prove that a positive literal is 
true, we take it to be false. Unfortunately, the closed-world assumption can lead to 
unintuitive (and probably unintended) results. For example, consider the policy "if 
Alice does not have bad credit, then she may apply for a loan", and suppose that 
the reasoning engine determines whether an individual has bad credit by reviewing 
her credit report. If Alice has bad credit and does not present her credit report, 
then a reasoning engine that makes the closed-world assumption will incorrectly 
assume that Alice does not have bad credit and thus will allow her to make a loan 
application. 

Several policy languages (e.g. [DeTrevillc 2002; Li et al. 2003; Li ct al. 2002; 
Jim 2001]) are based on safe stratified Datalog. Safe stratified Datalog allows 
some use of negation in the body of rules and does not make the closed world 
assumption. However, the restrictions on negation still prevent it from capturing 
some permitting policies of interest. For example, the policy 

Vx(-iBadCredit(x) => Permitted(x, apply for loan)) 

(anyone without bad credit may apply for a loan) cannot be expressed. More 
importantly, denying policies cannot be expressed in safe stratified Datalog because 
the language does not allow negation in the conclusion of rules. 

This limitation may not seem to be particularly troublesome. After all, the 
standard approach is to assume that every permission not explicitly granted is 
denied. (For example, this is done in relational databases [Griffiths and Wade 
1976], almost all of the Datalog-based languages, UNIX, SPKI/SDSI [Rivcst and 
Lampson 1996; Ellison et al. 1999a; 1999b], and KeyNote [Blaze ct al. 1996].) 
However, in many contexts, it is difficult to believe that policymakers really want 
to forbid every action that they do not explicitly permit, so there is a mismatch 
between a policymaker's intentions and the interpretation of the policy base. This 
becomes a problem when different policymakers want to compare policy bases or 
combine them. The following examples illustrate the concern. 

Example 7.1. Suppose that a hospital wants to verify that its policies comply 
with federal regulations; that is, the hospital wants to check that, if the government 
permits an action, then the hospital permits it and, if the government forbids an 
action, then the hospital forbids it. If the policies are written in a language that 
captures only permissions, assuming all other actions are forbidden, then compli- 
ancy checking is essentially impossible. In particular, if the hospital permits any 
action that is not regulated by the government (e.g., nurses may park in Lot A, all 
staff are welcome to drink the coffee in the lounge), then the hospital will appear 
to be non-compliant because it permits an action that is not explicitly permitted 
by the government and, thus, is implicitly forbidden. In short, because we cannot 
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distinguish forbidden actions from unregulated ones, compliance checking reduces to 
determining whether one policy set is essentially identical to another. | 

Example 7.2. Consider a group of libraries that want to merge their policies so 
that patrons are governed by the same regulations, regardless of which library they 
visit. When merging the policy sets, we clearly want to detect conflicts (e.g. one 
library lets minors check out adult books and another does not). Unfortunately, if 
a language can state only what is permitted, then this will be impossible. If we put 
the permitting policies from each library into one large set, then that set will be 
consistent (it is satisfied in the model that permits everything), regardless of which 
policies are in the set. Alternatively, we could require that no library permits an 
action that another forbids (which is what we want to do) under the assumption that 
every unregulated action is forbidden. It is not hard to see that this approach will 
always detect a conflict between sets of library policies unless the sets are essentially 
identical. I 

The issues involved with comparing and merging policy bases have by and large 
been ignored, but we believe they will become increasingly significant. It seems 
unlikely that a policy language will be able to support these features unless the 
language can express both permitting and denying policies. 

Although we do not know of a Datalog variant that allows negation in the conclu- 
sions of rules (thereby allowing denying policies), some languages seem to capture 
something comparable. For example, in FAF, actions are either positive or negative; 
the statement "principal p can do negative action act" means p is forbidden to do 
act. Another option in the same spirit is to have the predicate symbol Forbidden 
in the language, in addition to Permitted. A consequence of this approach is that 
it is not logically inconsistent for an action to be both permitted and forbidden. 
(Note that this is also the case for XACML, due to its nonstandard interpretation 
of negation.) To handle inconsistencies, FAF expects the policy writer to create 
overriding policies such as "if an action is both permitted and forbidden, then it 
is forbidden". If an inconsistency is detected when answering a query, then the 
overriding policy is applied. Similar approaches are taken by Chomicki et al. [2000] 
and Ioannides and Selis [1992]. The main problem with capturing prohibitions in 
this way is that the answers to queries might not match a policy writer's expec- 
tations. Policy writers typically do not intend to write policies that both permit 
and forbid the same action. Rather than identifying such policies and alerting the 
policy writer, potential errors are patched with overriding policies. In addition, 
these overriding policies are required even for consistent policy bases, which seems 
rather burdensome. 

Lithium deals with this issue in what is arguably a better way. Given a policy 
base written in Lithium, we can detect conflicts and determine why they occur at 
"compile time" rather than at "run time" , when a particular query is evaluated. 
Using this information, the policy writer can modify the environment and policies 
to more closely match her intentions. Moreover, if the antecedent of Theorem 5.1 
holds, then the policy base is inconsistent if and only if the environment alone is 
inconsistent. Thus, we can often determine when there is no conflict that needs to 
be addressed. 

The use of function symbols and negation is not the only difference between 
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Lithium and other policy languages. Unlike Lithium, many languages have explicit 
support for groups and roles. A group is a set of subjects such that if a group 
has a property, then every member of the group has the property (cf. [Abadi et al. 
1993; Jajodia et al. 2001]). In role-based access control models [Ferraiolo et al. 
1999; Hitchens and Varadharajan 2001; Li et al. 2002; Sandhu et al. 1996] roles are 
an intermediary between individuals and rights. More specifically, an individual 
obtains a right by assuming a role that is associated with that right. For example, 
Alice may need to assume the role of Department Chair in order to obtain the 
budget. 

Predicate symbols can be used to capture groups and roles in first-order logic. 
For example, if we want to say that Alice is a member of the faculty and any faculty 
member may chair committees, then we can represent the group using the predicate 
Faculty. The environment fact is encoded as Faculty (Alice); the policy is then 

Vx (Faculty (x) =>• Permitted(a;, chair committees)). 

Similarly, the policy "Alice, acting as the Department Chair, may sign the budget" 
can be written as 

Dept_Chair(Alice) =>■ Permitted(Alice, sign the budget). 

The fact Dept_Chair(Alice) would be added to the environment when Alice as- 
sumes the role and would be removed when she relinquishes it. Alternatively, we 
could add a sort Roles to our logic along with the predicate As (as suggested by 
Lampson, Abadi, Burrows, and Wobber [1992]), where As(e,r) means that entity e 
is acting as role r (in other words, e has assumed role r). Continuing our example, 
"Alice, acting as the Department Chair, may sign the budget" could be written 
in the logic as As( Alice, Dept_Chair) =>- Permitted( Alice, sign the budget). 
The second encoding for roles may be more in keeping with the spirit of the role- 
based model, but we believe that both approaches are reasonable (and our results 
apply to both choices). In short, Lithium supports groups and roles implicitly. 

Lithium, as well as the Datalog variants, all use a fragment of first-order logic 
to express policies. Other approaches use a modal logic. Formal work on deontic 
logic (the logic of "obligation" and "permission") goes back to von Wright [1951]. 
Glasgow, MacEwen, Panangaden [1992] were the first to base a formal logic of 
security on deontic logic. The logic of access control consider by Lampson et al. and 
Abadi et al. [Lampson et al. 1992; Abadi et al. 1993] can also be viewed as a modal 
logic, with a says operator. These approaches can be translated into first-order 
logic, but they have features that take them beyond Lithium. For example, Abadi 
et al. have a calculus of principals; Glasgow, McEwen, and Panangaden deal with 
obligation as well as permission. We believe that many of these features could be 
added to Lithium, but we have not explored this issue. 

The KeyNote system [Blaze et al. 1998], which is based on PolicyMaker [Blaze 
et al. 1996], is more flexible than Lithium in that the application can invoke policies 
written in a number of different languages. These are programs that determine if 
a policy applies to a request and a requestor. Because KeyNote essentially views 
these programs as black boxes, it is quite limited in its ability to reason about 
policies. As discussed by Blaze, Feigenbaum, and Strauss [1998], the system needs 
to put restrictions on the programs to ensure correct analysis. This is in fact done 
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in KeyNote, but at the price of a substantial reduction in the expressive power of 
the language. 

Finally, we remark that the design of Lithium was heavily influenced by the 
work of Halpern, van der Meyden, and Schneider [1999]. They identify some key 
issues that must be addressed when developing a policy language, evaluate various 
solutions that have been proposed in the literature, and recommend directions for 
future research. Our design incorporates three of their suggestions. In particular, 
we write policies in first-order logic; define sorts for principals, actions, and time; 
and use a Permitted predicate that takes an individual and an action argument. 
(This usage of Permitted is much in the spirit of how it is used in modal deontic 
logic.) 

8. CONCLUSION 

We have presented a fragment of first-order logic called Lithium that seems well- 
suited to reasoning about policies. Unlike previous approaches, Lithium allows 
nearly unrestricted use of function symbols while still preserving tractability. More- 
over, Lithium can express prohibitions explicitly, making it possible to capture the 
merger of policies. 

To be of practical use, a policy language must be accessible to non-experts with 
minimal training and it must be sufficiently expressive to capture the policies of 
real applications. To make Lithium more accessible, we have created a front end 
for it called Rosetta [Weissman and Lagoze 2004], and are currently designing ap- 
propriate usability tests. Whether a language is sufficiently expressive is obviously 
an empirical question: it depends on what people want to write. We have collected 
numerous policies and verified that they are all expressible in Lithium. Although 
this is certainly not a proof of anything, it does increase our confidence in the 
adequacy of Lithium's expressive power. 

In future work, we would like to extend Lithium to reason about policies that 
change over time. We are also exploring whether a hybrid of Lithium and a Datalog- 
based fragment can allow a further increase of expressive power without sacrificing 
tractability. 

Appendix 

A. PROOFS FOR SECTION 3 

The following lemma is the key to proving Theorems 3.1 and 3.3. 

Lemma A.l. Let C' Q be a set of closed formulas with no constant symbols whose 
only predicate symbol is Permitted. Let Cq be the set of closed formulas of the 
form 

(/ => Permitted(c, c')) => Permitted(c, c'), 

where c and c! are constants of the appropriate sorts and f G C' Q . If the validity 
problem for C' is undecidable, then the validity problem for C' ' is undecidable. 

Proof. We reduce the validity problem for C' Q to the validity problem for Cq. 
Straightforward manipulations show that (/ => Permitted(c, c')) =>■ Permitted(c, d) 
is equivalent to / V Permitted(c, c'). Clearly, if / V Permitted(c, c') is not valid, 
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then / is not valid. Suppose that / V Permitted(c, d) is valid. Since / does not 
mention a constant symbol, c and d do not appear in /, so /VVxVj/Permitted(x, y) 
is valid. It follows that / is valid iff / is true in all models m that satisfy 
VxVj/Permitted(x, y). To determine whether / is true in m, let /' be the re- 
sult of replacing all occurrences of Permittedfx, y) by true. Clearly / is true in 
m iff /' is true in to. Since /' has no nonlogical symbols, /' is true in m iff /' is 
valid. Moreover, the validity of /' is easy to determine. □ 

Theorem 3.1. Let Co be the set of closed formulas of the form 

(/ => Permitted(c, c')) => Permitted(c, c'), 

where c and d are constants of the appropriate sorts, f has a single alternation 
of quantifiers, and the only nonlogical symbol in f is Permitted. The validity 
question for Co is undecidable. 

Proof. Let Cq be the set of closed formulas that have a single alternation of 
quantifiers and whose only nonlogical symbol is Permitted. The proof follows 
from Lemma A.l, where we take C' to be Cq , because the validity problem for Cq 
is undecidable [Borger et al. 1997]. □ 

Theorem 3.3. Let C\ be the set of closed formulas of the form 

VxiVx 2 (f => Permitted(c, c')) => Permitted(c, c'), 

where c and c' are constants of the appropriate sort and f is a quantifier-free formula 
whose only nonlogical symbols are Permitted and a unary function. The validity 
problem for C\ is undecidable. 

Proof. Let Cy be the set of closed formulas of the form 3x\3x 2 f , where / is a 
quantifier-free formula whose only nonlogical symbols are Permitted and a unary 
function. Because the validity problem for C^ is undecidable [Borger et al. 1997], 
it follows from Lemma A.l that the validity problem for the set of formulas of the 
form 

(3xi3x 2 f => Permitted(c, c')) Permitted(c, c) (1) 

is undecidable. Standard manipulations show that a formula of the form (1) is 
equivalent to 

Vx{ix 2 (f => Permitted(c, c')) => Permitted(c, d). 

It follows that the validity problem for C\ is undecidable. □ 

Theorem 3.4. Let $ be a vocabulary that contains Permitted, constants c 
and c' of sorts Subjects and Actions, respectively, and possibly other predicate and 
constant symbols (but no function symbols). Assume that there is a bound on the 
arity of the predicate symbols in $ (that is, there exists some N such that all 
predicate symbols in $ have arity at most N). Finally, let C 2 be the set of all closed 
formulas in £^°($) of the form E Ap\ A . . . Ap n => Permitted(c, c') such that E is 
a conjunction of quantifier- free and universal formulas and each policy p\,...,p n 
has the form Vxi . . . Vx m (f => Permitted(£i, t 2 )), where t\ and t 2 are terms of the 
appropriate sort and f is quantifier- free. 
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(a) The validity problem for £2 is in Ilf . 

(b) If £3 is the set of formulas in £2 in which every policy's antecedent is a con- 
junction of literals, then the validity problem for £ 3 is LI^ hard. 

(c) If £4 is the set of C 2 formulas in which E is quantifier- free, then the validity 
problem for £4 is both NP-hard and co-NP hard. 

Proof. For part (a), straightforward manipulations show that each formula h 
in £2 is equivalent to a closed formula of the form g = 3xi . . . 3xkg' , where g' is 
a quantifier-free formula in C*°(&). Moreover, \g\ is polynomial in \h\. Suppose 
that g mentions n distinct constant symbols. Let Ai be the class of models whose 
domain size is at most max(n, 1). We claim that (1) g is valid iff it is true in every 
model in Ai, and (2) the problem of determining if g is true in every model m G Ai 
is in il^. 

For part (1), the "only if" direction is trivial. To prove the "if" direction, suppose 
by way of contradiction that g is true in every model in Ai and g is not true in a 
model to with domain D and interpretation /. Let D 1 — {1(c) \ c is a constant in g} 
if g mentions at least one constant, and D' = {d} for some fixed element d G D if g 
does not mention any constants. Let I' be the interpretation such that I'(c) = 1(c) 
if 1(c) e D 1 , I'(c) = d' for some fixed d e D' if 1(c) $ D', and I'(R) = D lk C\I(R) for 
each fc-ary predicate R in $. Let to' be the model with domain D' and interpretation 
/'. Notice that to' is in Ai. By assumption, to' satisfies g, so there are domain 
elements d\, . . . ,dk in D' such that by interpreting Xi as di for i = 1, . . . , k, m' 
satisfies g'. Under the same interpretation of x\, . . . ,Xk, m satisfies g' . Therefore 
to satisfies g, and we have the desired contradiction. 

For part (2), first note that g is true in all models in Ai iff it is true in all 
models with domain {1, . . . ,to} for each m < max(n, 1), since every model in Ai 
is isomorphic to one with domain {1, . . . , to} for m < max(n, 1). The truth of g in 
such a model depends only on the the interpretation of the constant and predicate 
symbols that actually appear in g. Let a restricted interpretation be one that 
interprets only the symbols that appear in g. Because there are m k interpretations 
of a fc-ary predicate, and the arity of predicates in g is bounded in a domain of 
size to, the number of restricted interpretations is polynomial in \g\. It clearly can 
be determined in time polynomial in \g\ if the formula g' is true under a given 
restricted interpretation in a model with domain {1, . . . ,to}. Thus, determining if 
g is true in such a model is in NP (since it involves guessing an interpretation of 
xi, . . . , Xk). It follows that the problem of determining if g is true in every model 
of M is in Ilf. 

For part (b), let QBF 2 consist of all Quantified Boolean Formulas (QBFs) of the 
form 

VQi...VQ m 3Pi...3P n¥ >, 

where ip is quantifier-free. It is well known that the problem of checking whether a 
formula in QBF2 is true is n.f -complete [Stockmcycr 1977]. We now show how to 
reduce this problem to the validity problem for £2- 

Let q = VQi . . . VQ m 3Pi . . . 3P n ip be an arbitrary formula in QBF 2 . Let ip' be ip 
with Qj replaced by the ground literal Qj(c) and P& replaced by the literal Pfc(xfc), 
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for j = 1, . . . , m and k = 1, . . . , n. It is not hard to see that q is true iff 

q' = Pi(c) A ... A P„(c) A ->Pi(J) A ... A ->P n (d) => 3xi . . . 3x n <p' 

is valid. This follows from two observations. First, note that q is true iff, for 
every assignment of values to Qi, . . . , Q m , there is an assignment of truth values 
to Pi, . . . , P n such that <p is true. Second, q' is valid iff, for every interpretation of 
Qi(c), . . . , Q m (c), there is an assignment of domain elements to Xi, . . . , x n such that 
ip' is true. The antecedent Pi (c) A ... A P n (c) A -iPi(c') A ... A -P„(c') of q 1 ensures 
that assigning Xi to c makes Pi(xi) true, while assigning Xi to d makes P(xi) false. 
Thus, the assignment of values to the variables X\, . . . ,x n acts essentially like a 
truth assignment to Pi, . . . , P n . 

Straightforward manipulations show that A =>■ B is valid iff A A ->B => false is 
valid, and A A ->B => false is valid iff ((->A => C) A -iP) =>• C is valid, provided 
that none of the nonlogical symbols in C appear in A or B. Taking A to be 
Pi(c) A ... P n (c) A -'Pi(c') A ... A -P„(c'), B to be 3xi . . . 3x n <p', and C to be 
^Permitted(d 7 d'), where d and d! are distinct from c and c', it follows that q is 
true iff 

Vxi . . . Vx„-.( y 5 / A (-1-4 => Permitted(d, d')) => Permitted((i, d') (2) 
is valid. The formula ->A => Permitted(d, d') is equivalent to 



Replacing ->A ^ Permitted (d, d') in (2) by the latter formula gives us a formula 
in £ 2 - Thus, we have reduced the truth of a QBF formula to the validity of a 
formula in £ 2 , as desired. 

For part (c), we prove the NP hardness result by reducing the Hamiltonian path 
problem to the validity problem for £4. Let G be an undirected graph, where 
V = {vi, . . . , v n } is the set of nodes and E is the set of edges. Let $ be a vocabulary 
that includes the constants vi, . . . ,v n , a binary predicate Edge, and Permitted. 
Finally, let E = /\ {v , v , )eE Edge(vi,Vj), and let 

p = Vxi . . . Vx„( y\ (xi ^ xj) A y\ Edge(a;j,a;j + i)) => Permitted(c, c'). 



It is not hard to show that E Ap => Permitted(c, c') is valid iff there is a Hamil- 
tonian path in G. The key observations are (I) there is a Hamiltonian path iff 
there is an assignment of distinct domain elements to xi,...,x n such that there is 
an edge between Xi and Xi+i for i < n, and (2) there is such an assignment iff 
E A p => Permitted(c, c') is valid. 

We prove the co-NP hardness result by reducing the validity problem for propo- 
sitional logic to the validity problem for £4. Let g be a propositional formula, let 
Vi, . . . , v n be the propositions in g, and let g 1 be the first-order formula obtained by 
replacing the proposition Vi in g with the ground literal R(ci) for i = 1, . . . , n. It is 
easy to see that g is valid iff g' is valid. Because g' does not include Permitted, 
g' is valid iff g' V Permitted(c, c') is valid. Standard manipulations show that 



n n 



f\ --Pi(c) Permitted(d, d') A f\ Pi(c') Permitted((i, d')). 




i,j<n;ijtj 
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g' V Permitted(c, d) is equivalent to the £4 formula (g' Permitted(c, c')) 
Permitted(c, d). □ 

B. PROOFS FOR SECTION 4 

To prove the theorems in Section 4, we need to extend resolution slightly using 
techniques of paramodulation [Robinson and Wos 1983]. Note that if c is the clause 
\fxi . . . x n (c' V t c — t' c ), d is the clause Vj/i . . .\fy m d' , td is a term in d! , and a is a 
substitution such that u(£ c ) = cr(td), then the following formula is valid: 

c A d =>• Van • ■ • Vx„V yi . . . Vy m (c' V d'[t d /t' c ])a. (3) 

A set of clauses is said to be closed under paramodulation if it contains the right- 
hand side of (3) whenever it contains the clauses on the left-hand side. Let R p (,f) 
be the set of clauses obtained by closing / under resolution and paramodulation. 
In other words, R p (f) is the smallest set of clauses that includes the conjuncts of 
/ (when / is in CNF) and, if we can infer a clause d from two clauses c and d in 
R p (f) by using either resolution or paramodulation, then d is in R p (f). 

Theorem B.l. [Brand 1975] If f is a formula in CNF one of whose conjuncts 
is \lx(x = x), then f is satisfiable if and only if R p (f) does not include false. 

We remark that the clause V(x = x) is needed here, although it is valid. For 
example, it is easy to check that R p (Vx(x ^ x)) does not include false, even 
though \/x(x ^ x) is not satisfiable. On the other hand, i? p (V(x ^ x) A V(x = x)) 
clearly includes false. 

Corollary B.2. Let f be a CNF formula, none of whose clauses mentions a 
disjunct of the form t = t' . Then f is satisfiable iff R(f A \/x(x — x)) does not 
include false. 

PROOF. Clearly / is satisfiable iff / A Vx(x = x) is satisfiable. Let g — f A 
\/x{x = x). By Theorem B.l, it suffices to show that R p {g) = R(g)- Clearly, 
R(g) Q R P {g)- To show that R p (g) Q R(g), it suffices to show that R(g) is closed 
under paramodulation. It is not hard to see that, because no clause in / mentions 
a disjunct of the form t = t', no clause in R(g) — {ix{x = x)} mentions a disjunct 
of the form t = t 1 . Therefore, applying paramodulation does not lead to any new 
clauses. □ 

The next four lemmas relate the closures of various formulas and give bounds 
on the complexity of computing the closure. In these proofs, it is convenient to 
associate a clause c with its set of disjuncts, which we denote as S{c). For example, 
if £1, . . . ,£k are literals, then S{£\ V ... V 4) = {£1, ■ ■ ■ , t-k}- For the next four 
lemmas, let S = {s s \ s is a term}. 

Lemma B.3. Let c be a clause with no bipolar literals and let f be a conjunction 
of ground literals. If a clause d is in R(cKf Kix{x = x)), then d is in R(J SSIx(x = 
x)) or S{d) C S(cg) C S(d) U S(^f) U S for some substitution a. 

Proof. Let R'(c A /) consist of the clauses in R(f A \/x(x — x)) and all clauses 
d such that, for some substitution a, S(c') C S(ccr) C S(d) U S(-*f) U S. We 
want to show that R(c A / A Vx(x = x)) C R'{c A / A \/x{x = x)). Because 
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every conjunct of c A / A Vx(x = x) is in R'(c A / A Va;(x = x)), it suffices to 
show that i?'(c A / A Vi(i = x)) is closed under resolution. To do this, suppose 
that ci and c 2 are clauses in R'(c A / A Vx(x = x)) that resolve on a literal I 
to create the resolvent C3. We want to show that C3 € R'(c A f A Vx(x = x)). 
If both ci and C2 are in J?(/ A Vx(x = x)), then C3 is in R(f A Vx(x = x)), so 
C3 6 R'(c A / A Va;(x = x)). If exactly one of the clauses is in R(f A Vx(x = x)), 
then assume without loss of generality that it is ci. Because / A Vx(x = x) is 
a conjunction of literals, every clause in R(f A Va;(x = x)) is either a conjunct 
of / A Va;(x = x) or false; C\ is the parent of a resolvent, so it is a conjunct of 
/ A \/x(x = x). Since c 2 £ R'(c A / A Vx(x = x)) - A Va;(x = x)), there is a 
substitution a such that <S(c 2 ) Q S(ca) C <S(c 2 ) U S(->f) U 5. Since Ci and c 2 are 
the parents of the resolvent C3 and c\ is a conjunct of / A Vx(x = x), there is a 
substitution rj' such that c 2 cr' is C3V ~ci, where ~ci is the negation of a conjunct 
of / or has the form s ^ s. Because <S(c 2 ) C S(ccr), it follows that £(03) C ^(cctct'). 
Moreover, 

^(ccrCT') C 5(c 2 a') U 5(^/(7') U S = 5(c 3 ) U {~ci} U S(->f) U 5 = 5(cs) U S(->f) U 5, 

since {(s / s)a'\s is a term} C S, ~^fcr' = ->f (because / mentions no variables), 
and ~ci is either a conjunct of -1/ or a literal in S. So C3 £ i?'(c A / A Vx(ir = x)). 
Finally, if neither c\ nor c 2 is in R(f A Va;(x = x)), then it is not hard to see that 
there are substitutions a and a' such that I is a disjunct of ccr and -*£ is a disjunct 
of ccr', contradicting the assumption that c has no bipolar literals. □ 

For the next three lemmas, let / = Eq A Va;(x = x) A ^Permitted(t, t') and let 
/' = Ei A P, where t and t' are closed terms. 

Lemma B.4. R(f A /) = U ce *(/') A /)■ 

Proof. Let c be a clause in R(f')- Because every conjunct of cAf is in R(f A/) 
and i?(/' A /) is closed under resolution, R(c A /) C R(f A /). It follows that 
U cW) i?(cA/)C J R(.f'A/). 

For the opposite inclusion, note that every conjunct of R(f'Af) is in U c eij(/') -^( c/ \ 
/). So, it suffices to show that Uceflf/') ^( c ^ /) i s closed under resolution. To do 
this, suppose that Ci, c 2 £ R{f) and that e is a resolvent with parents d\ £ R{c\Af) 
and c? 2 £ R(c2 A/). It suffices to show that e 6 [JceR(f') ^( cA /)- ^ r ^1 tncn 
clearly di £ i?(c 2 A /), so e G i?(c 2 A /) and we are done. Similarly, if d 2 £ R(f), 
then e £ R(ci A /). Suppose that neither d\ nor d 2 is in R(f). Then it follows from 
Lemma B.3 that there are substitutions o\ and cr 2 such that Ci<7i = d\ V (i'j and 
c 2 cr 2 =d 2 V d' 2 , where 5(0 C S(->f) U S and 5(d' 2 ) C S(->f) U 5. Because di and 
d 2 are the parents of e, there are substitutions a[ and a 2 , clauses d'[ and d 2 , and 
a literal I such that e = d!{ V 4', diaj = d!{ V ^, and d 2 a' 2 = d'{ V ^. Putting the 
pieces together, 

CictiCTi = d" V £ V diai and c 2 cr 2 (7 2 = d 2 ' VnfV^ 

(Note that 5(di<ri) C U 5 and 5(d 2 a 2 ) C U 5, because the only 

variables that appear in d[ or d' 2 are in disjuncts of the form t^t.) Clearly c\ and 
c 2 resolve to create a resolvent e' G R{f')- Moreover, e'CTicr 2 = eV dicr^ V d 2 cr 2 , so 
e e i?(e' A /). □ 
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Lemma B.5. If every clause in f has at most one literal that is bipolar in f, 
then R(f') has 0(\f'\ 2 ) clauses, each of length at most 2LfL'^,, and R(f') can 
computed in time 0(\f'\ 2 ). 

Proof. Note that the resolvent e of two clauses in /' has no bipolars, because 
every clause in /' has at most one bipolar. It follows that e is not a parent of a 
resolvent in R(f'). So, 

R(f') = {c | c is in S(f') or is the resolvent of two clauses in S(f')}. 

Thus, R(f') has 0(|/'| 2 ) clauses and each clause has length less than 2LfL^,. To 
find R(f'), we simply check each pair of clauses c and d in /' to sec if there is a 
literal on which they resolve; if so, we resolve them. The check can be done in time 
0(|c||c'|); the resolution can be done in time 0(\c\ + \c'\). Since, by assumption, 
each clause contains at most one instance of a bipolar literal, there will be at most 
one resolvent for each pair of clauses. It easily follows that R(f') can be computed 
in time 0(|/'| 2 ). □ 

If C is a set of clauses, let ||C|| = X^cec l c l ■ For an predicate symbols Q, a variable 
v is Q- constrained in a clause c if v appears as an argument to Q in c. Note that 
a constrained variable, as defined in Section 4.1, is Permitted-constrained. 

Lemma B.6. Suppose that f mentions m terms and C is a non-empty set of 
clauses such that, for every c G C ', no literal in c is bipolar in c. Then 

(a) false G U c ec ^-( c ^ f) iff ft) f a ^ se € R(f) or (w) there is a clause c G C and a 
substitution a such that S{ca) C S(-if) U S; 

(b) we can determine whether (i) holds in time O(|£o| log |-Bo|)/ 

(c) we can determine whether (ii) holds in time 0((|i?o|+-R||C|| |Permitted(t, t')\) log \Eq\), 
where R — mif every literal in every clause c inC mentions at most one variable 

that is not constrained in c; otherwise R = m k , where every clause c in C has at 
most k variables that are not constrained in c. 

Proof. For part (a), the "only if" direction follows immediately from Lemma B.3. 
For the "if" direction, it is easy to see that R(f) C R(c A /) for every clause c G C. 
So, if false G R{f), then false G Ucec ^ /)■ Also, if there is a clause c G C 
and a substitution a such that S{ca) C S(->f) U S, then it readily follows from the 
definition of resolution that false G R(c A /), so false G Ucec ^ /)• 

For part (b), because / is a conjunction of literals, it is easy to see that false G 
R(f) iff (1) Eq includes a literal of the form t ^ t or (2) E includes a literal and 
its negation. Clearly, we can check whether (1) holds in time O(|i?o|). To check 
whether (2) holds, we use a splay tree [Sleator and Tarjan 1983], a form of binary 
search tree for which, starting with an empty tree, K insertions and S searches 
take time 0((K + S) log K). Specifically, we insert every negative literal in Eq 
into the empty splay tree T. Then, for every positive literal I in Eq, we search T 
for -i£. Since at most |2?n| insertion and \Eq\ search operations are involved, time 
O(|^o | log \Eq\) is required. 

For part (c), recall that / = Eq A \/x{x = x) A -iPermitted(t, t'). For any 
clause c, let ce and cp be clauses such that c = ce V cp, ce is Permitted-free, 
and every disjunct in cp mentions Permitted. Because E is Permitted-free, 
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S(ccr) C S(-,/) U S iff S(c e <j) C S(-.B ) U S 1 and S{c P a) C {Permitted(t, £')}• It 
follows that we can find a substitution a such that S(ca) C S(->f)L)S, if one exists, 
by finding substitutions <r' and it" such that S(cpcr') C {Permitted(t, i')} and 
S(ce<j'<t") C <S(->Bo) U 5, and taking cr = cr' o cr" We can assume without loss of 
generality that <r(x) = a; for every variable x that does not appear in c. Thus, we can 
clearly check if an appropriate substiuttion a exists in time 0(\c\ |Permitted(t, t')\), 
by pattern-matching each occurrence of Permitted in cp with Permitted(i, t'). 
Moreover, if a exists, then \ca\ < |c||Permitted(f, t')\, since a substitutes terms in 
Permitted(i, t') for variables in c P . 
Let 

D = {d : there is a clause c E C and a substitution a such that <r{x) = x if x 
does not appear in c, S(cpcr) C {Permitted(i, t')}, and d = ce&}- 

We can clearly construct D in time 0(||C|||Permitted(t,t')|), by considering the 
clauses in C one at a time, and \\D\\ < \\C\\ |Permitted(£, t')\. Thus, to complete 
the proof of part (c), it suffices to show that we can determine whether there is 
a d E D and a substitution a such that S(da) C <S(-iB ) U S in time 0((|Bo| + 
i?||D||) log | -Bo |), where R is as defined in the lemma. We can do this by a brute- 
force search. In more detail, we insert every literal in B into an empty splay tree 
T; then, for each clause d E D and each possible assignment a of terms in Bo to 
variables in d, we check whether every literal in da is the negation of a literal in T 
or is of the form t ^ t. Suppose every clause c in C has at most k variables that 
are not constrained in c. Then d has at most k variables. Since B mentions at 
most m terms, it follows that there are at most m k ways of assigning terms in Bo to 
variables in d. As we have observed, the O(|B |) insertions and 0(m fc |ci|) searches 
can be done in time O((|B | +m fe |rf|) log |B |). For each literal I in S(da) - S(->E), 
we can determine whether I is of the form t = t in time 0(|f|). Thus, the time 
needed to check every clause d € D is O((|B | + m fe ||-D||) log |B |). 

We may be able to do better if every literal in every clause c in C has at most 
one variable that is not constrained in c. In this case, every literal in every clause 
d in D has at most one variable. It follows that, given a clause d € D, we can 
partition the literals in d into sets according to their variable. That is, in time 
we can write d as d\ V . . . V dk, where two literals £ and £' mention the 
same variable iff i and £' both appear in di for i = l,...,k. Clearly, there is a 
substitution a such that S(da) C <S(->Bo) U S iff there are substitutions a\, . . . , Gk 
such that S(di<Ji) C <S(->Bo) U5, for i = l,...,k. For a particular di, there are 
at most m possible substitutions of terms in Bo to the variable in rfj. So, given 
a splay tree T whose entries are the conjuncts in B , we can determine if there is 
an appropriate <ii in time 0(m|dj| log |Bo|). Thus, given T, we can determine if 
there are appropriate substitutions oi,...,Ok in time 0(m|d| log |Bo|). Since we 
can construct T in time O(|B | log |B |), the total time needed for a particular 
clause d € D is O((|B | +m|c£|) log |B |), and the time needed to check every d E D 
isO((|Bo|+m||£>||)log|Bo|). □ 

Proposition 4.2. Suppose that E A P => Permitted(t, t') is a standard query 
in which E is basic, the equality symbol is not mentioned in E A P, and there are 
no bipolars in P. Then E A P => Permitted(i, t') is valid iff there is a conjunct p 
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of P such that E Ap => Permitted(i, t') is valid. 

PROOF. Here and elsewhere, let E + be an abbreviation for \/x{x = x) A E. By 
Corollary B.2, it suffices to show that R(E + APA-i Permitted^, t')) includes false 
iff R(E + ApA-iPermitted(i, t')) includes false for some conjunct p of P. It follows 
from Lemma B.4, where we take / to be E + A ^Permitted(t, t') and /' to be P, 
that i?(£+APA-.Permitted(M')) includes false iff R(E+ AcA^Permitted(i, t')) 
includes false for some c in R(P). Since there are no bipolar literals in P, R(P) is 
just the set of conjuncts in P, so we are done. □ 

Theorem 4.1. Let £5 consist of all standard queries of the form E A P => 
Permitted(t, t 1 ) such that 

(1) E is basic (i.e., E is a conjunction of ground literals), 

(2) there are no bipolar literals in P , 

(3) equality is not mentioned in E AP , and 

(4) every variable appearing in a conjunct p of P is constrained in p. 

We can determine the validity of formulas in £ 5 in time 0((|£'|+|P||Permitted(t, t')|) log \E\), 
where \<p\ denotes the length ofip, when viewed as a string of symbols. 

PROOF. Let S p be the set of conjuncts of P. By Proposition 4.2, E A P => 
Permitted(i, t') is valid iff E Ap Permitted(i, t') is valid, for some conjunct 
p of P. By Corollary B.2, the latter statement holds iff false 6 U P es p Ap A 

^Permitted(t, t')). It follows from Lemma B.6(a), where we take C = S p and 
f = E+ A ^Permitted(t, t'), that false 6 \J pe s P R ( E+ A P A ""Permitted^, t')) iff 
(a) false is in R(E + A-iPermitted(f, t')) or (b) there is a clause p € S p and a substi- 
tution a such that S(pcr) C S(^E + V Permitted(t, t')) U {s ^ s \ s is a term}. By 
Lemma B.6(b), we can determine whether (a) holds in time 0(\E\ log \E\). It follows 
from Lemma B.6(c), where / = _E + A-iPermitted(i, t'),C = S p , and k = 0, that we 
can determine whether (b) holds in time 0((|.E| + |P||Permitted(t, t')\) log \E\). □ 

Rather than just proving Theorem 4.5, we prove a slightly stronger result, from 
which we will also be able to prove Theorem 5.1. Note that part (b) of the following 
theorem is equivalent to Theorem 4.5. 

Theorem B.7. Suppose that E is a standard environment, P is a conjunction 
of pure permitting policies, and D is a conjunction of (not necessarily pure) denying 
policies such that, for every resolvent f created by resolving a conjunct of P and 
a conjunct of D on a literal that mentions Permitted, either E => f is valid or 
q => / is valid for some conjunct q of P A D. Then 

(a) E A P is consistent iff E A P A D is consistent 

(b) E AP A ^Permitted(t, t') is consistent iff E A P A D A -.Permitted(i, t') is 

consistent, where t and t' are terms of the appropriate sort. 

Proof. We prove part (a) here; the proof of part (b) is identical. 

Suppose that the hypotheses of the theorem hold. Since g — E A f\ peP P is 
consistent, it has a Herbrand model, that is, a model whose domain consists of all 
the variable-free terms in the language. Of the Herbrand models for g, let to be a 
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minimally permissive one, that is, one for which the extension of the Permitted 
predicate is minimal. We claim that in fact m |= E A f\ peP p A f\ deD d. For suppose 
not. Then there is a denying policy Vrri . . .Vx n d in D and a variable substitution 
ad such that: 

(1) to \= -^dad and 

(2) for all denying policies Vxi . . .Vir rl e G D and variable substitution a e such that 
m |= ->ea e , the number of negative literals in ea e that mention Permitted is at 
least the number of negative literals in dad that mention Permitted. (Note that 
we are assuming all policies are in CNF, so that the number of negative literals 
in a policy is well-defined.) 

Since d is a denying policy, dad has at least one negated Permitted formula among 
its clauses; that is dad = d! V ^Permitted^, s' d ) for some terms Sd and s' d . Since 
to |= ->dad, we have that m |= -><f A Permitted(s<2, s' d ). Since m is minimally 
permissive, there must be a pure permitting policy Vxi . . . Vx n p G P and a variable 
substitution a p such that pa p = p' V Permitted(sd, s' d ) and to |= -ip'. (Otherwise, 
consider the model obtained by removing (s^, s' d ) from the extension of Permitted; 
it must also satisfy g, and is less permissive than to.) Let / = p'Vd' be the formula 
created by resolving pa p and dad on Permitted^, s' d ). Note that, by choice of 
p' and d', m\= -if. It follows from the definition of resolution and the fact that p 
is a pure permitting policy that the number of negative literals in / that mention 
Permitted is less than the number of such literals in dad- Moreover, by hypothesis, 
either E => f is valid or q =>■ / is valid for some q G P U D. Since to |= E A -i/, 
£7 =>■ / is not valid, so q =>- / is valid for some q <E P U D. Since to |= ->/, to |= -ig; 
and, since to |= /\ peP p by assumption, q e D. Therefore, there is a denying policy 
Vxi . . . Vx„e G D such that Vxi . . .Mx n e => f is valid. It is not hard to show that 
Vxi . . . Vx„e => / is valid iff there is a variable substitution a e such that ecr e = /. 
Thus, Vxi . . . Vx„e is a denying policy in D and cr e is a variable substitution such 
that to |= -ierj e (because to |= ->/). The number of negative literals in ea e that 
mention Permitted (which is the number of negative literals in / that mention 
Permitted) is less than the number of such literals in dad- Thus, we have a 
contradiction. □ 

Proposition 4.6. If q is an equality-safe standard query, then there is a stan- 
dard query q' of the form E' A E[ A P' => Permitted(t, t') such that (a) q is valid 
iff q' is valid, (b) q' is equation-free, and (c) \q'\ = 0(\q\\L' ), where L' q is the length 
of the longest term in q. Moreover, we can find such a q' in time 0(\q\). 

PROOF. Suppose that q has the form F A Fi A E\ A P => Permitted(,s, s'), 
where Fq is the conjunction of the equality statements, while F\ consists of the 
remaining conjuncts in Eq. To create q' , we partition the set of terms in Eq into 
equivalence classes; terms t e and t' e are in the same class if the equality formulas 
in Eq imply t e = t' e . The equivalence classes can be found in linear time. 4 Since q 

4 In general, the problem of constructing equivalence classes is harder than linear time. For 
example, if c\ = C2, then /(ci) = /(C2). However, we do not have to worry about drawing such 
inferences — if Eq => (ci =02) is valid, then it cannot be the case that /(ci) and f(c2) are both 
terms in Eq, for then Eq (/(ci) = /(C2)) is valid, and q would not be equality-safe. 
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is equality-safe, each equivalence class has at most one term that is not a constant. 
If an equivalence class has a term that is not a constant, then we choose that 
term to represent the class; otherwise, we select a representative arbitrarily. Let 
q' = F[ A E[ A P' => Permitted^, t 1 ), where F{, E[, P', t, and t' are the result of 
replacing each closed term in F\, E\, P, s, and s', respectively, that also appears in 
Fq by its representative. It suffices to show that q is valid if and only if q' is valid, 
because the other statements in the conclusion of Proposition 4.6 follow immediately 
from the construction of q' . Let q" = F A F[ A E[ A P' => Permitted (i, t'). It is 
easy to see that q is equivalent to q"; substituting a term by its representative in 
the equivalence class is justified in the presence of F . Thus, it suffices to show that 
q" is valid iff q' is valid. The "if" direction is trivial. For the "only if" direction, 
suppose by way of contradiction that q" is valid and q' is not. It follows that there 
is a model m with interpretation / that does not satisfy q 1 . Let m! be a model that 
is identical to m except that m! interprets a constant r as J(r') if r and r' are in 
the same equivalence class and r' is the class representative. Clearly, ml satisfies 
Fo- Moreover, because m does not satisfy q' and the only difference between m 
and m' is the interpretation of constants that are not mentioned in q' , ml does not 
satisfy q' . This contradicts the validity of q'. □ 

The following example illustrates the procedure for creating q' from q. 

Example B.8. Consider the query "may Bob nap", given that Alice is Bob's 
wife, Alice may nap, and any individual may nap if his wife may nap. We can 
write the query as q — e A p\ A p 2 => Permitted(Bob, nap) 7 where 

e = (Alice = wifeOf (Bob)), 

pi = Permitted( Alice, nap), and 

P2 = Vx(Permitted(wifeOf (x), nap) Permitted(a;, nap)). 

The query q' is the result of removing the conjunct e from q and replacing every oc- 
currence of Alice by wifeOf (Bob). Thus, q' = p\ Ap' 2 ^> Permitted(Bob, nap) ; 

where 

p[ = Permitted(wifeOf (Bob), nap) and 

p' 2 = Vx(Permitted(wifeOf (x), nap) Permitted(.x, nap)). 

Note that we replace Alice by wifeOf (Bob) because the two terms are in the same 
equivalence class and, since wifeOf (Bob) mentions a function symbol, it is the 
class representative. Also note that if we replace wifeOf(Bob) by Alice, then the 
resulting query is not valid, even though q is. In general, we do not preserve validity 
if we replace a term that includes a function symbol. That is why we restrict to 
equality-safe queries in Proposition 4-6. I 

Theorem 4.7. The validity of an equation-free Lithium query q = EqAEiAP 
Permitted(t, t 1 ) with m terms in E can be determined in time O((\E \ +T\E\ A 
P| 2 ) log \E \), where T — mi£ lA pi^ iAP |Permitted(t, t')\ if every literal in every 
conjunct c of E\ A P mentions at most one variable that is not constrained in 
c relative to q; otherwise, T = m 2fe i£ lA pL' £;iA p|Permitted(t, t')\, where every 
conjunct c of Ex A P has at most k variables that are not constrained in c relative 
to q. 
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Proof. By Corollary B. 2, q is valid i&R(E Mx(x = x)AE 1 APA^Permitted(t,t')) 
includes false. Let Eq be E A Vx(x = x) and let q + be the result of replacing 
Eq in the antecedent of q by Eq. By Lemma B.4, false E R(^q + ) iff there is 
a clause c G A P) such that /a/se G P(c A£ + A ^Permitted(t, £')). By 

Lemma B.6(a), the latter statement holds iff (f) false G i?(£^A-iPermitted(t,t')) 
or (2) there is a clause c G i?(£u A P) and a substitution cr such that S(ca) C 
<S(-i£^ V Permitted(t, t')) U {s ^ s | s is a term}. By Lemma B.6(b), we can 
check whether (1) holds in time O(\E \ log \E \). To determine whether (2) holds, 
we first note that, by Lemma B.5, we can compute R(Ei A P) in time 0(\Ei A 
P| 2 ). Once we have R(Ei A P), it follows from Lemma B.6(c), where we take 
C = R(Ei A P), that we can determine whether (2) holds in time O((\E \ + 
m k '\R(E 1 A P)||Permitted(i,t')l)log|£o|) if every clause c G P(^i A P) has 
at most k' variables that are not constrained in c. ft follows from Lemma B.5 
that \R(Ei A P)| is 0(\E\ A P\ 2 L El /\pL' EiAP ); it follows from the way resolu- 
tion is defined that k 1 < 2k. So, we can determine whether (2) holds in time 
0((\E Q \ + m 2k \E± A P\ 2 L El ApL' EiAP \Permitted(t,t')\)\og\E a \). 

Suppose that every literal in every conjunct c of E\ A P mentions at most one 
variable that is not constrained in c relative to q. Then it follows from the definition 
of resolution that every literal t in every clause c in R(E\ AP) mentions at most one 
variable that is not constrained in c. It follows from Lemma B.6(c), where we again 
take C = R(E\ A P), that we can determine whether (2) holds in this case in time 
O((\E 1 +m\R(E 1 AP) | |Permitted(t, t')\) log \E 1), once we have computed R(Ex A 
P). By Lemma B.5, we can compute R(E 1 AP) in time 0(\E x AP\ 2 ) and \R(EiAP)\ 
is 0{\E\ A P\ 2 Le 1 /\pL' e aP ). So, the total time needed to determine whether (2) 
holds is O((\E \ + m\EiA P\ 2 L ElAP L' EiAP \Permitted(t,t')\)log\E Q \). □ 

C. PROOFS FOR SECTION 5 

Theorem 5.1. Suppose that E is an environment, P is a conjunction of pure 
permitting policies, and D is a conjunction of (not necessarily pure) denying policies 
such that the antecedent of Theorem 4-5 holds. Then E AP AD is satisfiable iff E 
is satisfiable. 

PROOF. If E is satisfiable, then E AP satisfiable. (For any model m that satisfies 
E there is a model m! that is identical to m, except m! satisfies Permitted(s, s') 
for all terms s and s' of the appropriate sort; m' satisfies E AP.) The result is now 
immediate from Theorem B.7(a). □ 
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